-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.16.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Unable to re-create a new kubeconfig file with the `admin-kubeconfig-client-ca` configMap
Version-Release number of selected component (if applicable):
4.16
How reproducible:
Always
Steps to Reproduce:
1. Customer tried extending the expiration date of their kubeconfig following - https://access.redhat.com/solutions/5286371
2. Changed the `expirationSeconds` to `315360000` ~10 years for CSR request
3.
Actual results:
This recreated a kubeconfig with a shorter certificate on top of the original one that had 10 years matching `admin-kubeconfig-client-ca` configMap in `openshift-config`
Expected results:
There should be a way to recover the kubeconfig file for system:admin (kubeconfig user) using the existing `admin-kubeconfig-client-ca` configMap in `openshift-config`
By default, the kubeconfig file for the `system:admin` user is set to 10 years on installation.
$ kubectl config view --kubeconfig=./kubeconfig --raw -o jsonpath='{.users[*].user.client-certificate-data}' | base64 -d | openssl notBefore=Jul 29 17:26:34 2025 GMT
notAfter=Jul 27 17:26:35 2035 GMT
$ oc get cm admin-kubeconfig-client-ca -n openshift-config -o yaml
apiVersion: v1
data:
ca-bundle.crt: |
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIKtUBXIcmW6gwDQYJKoZIhvcNAQELBQAwNjESMBAGA1UE
...
wIhBeA==
-----END CERTIFICATE-----
kind: ConfigMap
$ openssl x509 -noout -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3086374616548400040 (0x2ad5015c87265ba8)
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU = openshift, CN = admin-kubeconfig-signer
Validity
Not Before: Jul 29 17:26:34 2025 GMT
Not After : Jul 27 17:26:34 2035 GMT
...
