Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.20.0
Affects Version/s: 4.20.0
Component/s: kube-apiserver
Labels:
- feature-team-cert

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.19.z, 4.20
Target Version:

4.20.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Before this update, the node-system-admin-signer's validity was limited to one year and was not extended or refreshed at 2.5 years, hindering the issuance of the node-system-admin-client for two years. In this update, the node-system-admin-signer's validity is now actively set to last for three years, allowing for the issuance of the node-system-admin-client during a two-year period. (link:https://issues.redhat.com/browse/OCPBUGS-59527[OCPBUGS-59527])
____
*Cause*: Target certificate lifetime depends on signer lifetime, so when target certificate is created it cannot be valid longer than the signer used to create it
*Consequence*: node-system-admin-client duration is set to 1 year instead of expected 2, so localhost-recovery.kubeconfig is valid for 1 year only
*Fix*: Signer validity extended to 3 years, so now node-system-admin-client validity is now set to two years as desired
*Result*: localhost-recovery.kubeconfig doesn't expire after 1 year and now valid for two years

Show
* Before this update, the node-system-admin-signer's validity was limited to one year and was not extended or refreshed at 2.5 years, hindering the issuance of the node-system-admin-client for two years. In this update, the node-system-admin-signer's validity is now actively set to last for three years, allowing for the issuance of the node-system-admin-client during a two-year period. (link: https://issues.redhat.com/browse/OCPBUGS-59527 [ OCPBUGS-59527 ]) ____ *Cause*: Target certificate lifetime depends on signer lifetime, so when target certificate is created it cannot be valid longer than the signer used to create it *Consequence*: node-system-admin-client duration is set to 1 year instead of expected 2, so localhost-recovery.kubeconfig is valid for 1 year only *Fix*: Signer validity extended to 3 years, so now node-system-admin-client validity is now set to two years as desired *Result*: localhost-recovery.kubeconfig doesn't expire after 1 year and now valid for two years

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    Target cert validity cannot be longer than signer validity. As a result, node-system-admin-client cannot be issued for 2 years as node-system-admin-signer is valid for 1 year only.
Signer validity should be extended to 3 years (and refreshed at 2.5 years)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

Expected results:

Additional info:

blocks

OCPBUGS-60495 Invalid target signer validity is preventing from issuing node-system-admin-client for 2 years

Closed

is cloned by

OCPBUGS-60495 Invalid target signer validity is preventing from issuing node-system-admin-client for 2 years

Closed

links to

openshift/cluster-kube-apiserver-operator#1872: OCPBUGS-59527: certrotationcontroller: extend node-system-admin-signer lifetime

Assignee:: Vadim Rutkovsky

Reporter:: Vadim Rutkovsky

Need Info From:: None

Contributors:: None

QA Contact:: Ke Wang

Doc Contact:: None

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/07/18 9:00 AM

Updated:: 2025/10/01 2:57 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide