Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: 4.19.z
Affects Version/s: 4.20.0
Component/s: kube-apiserver
Labels:
- feature-team-cert
- pre-merge-tested

Work Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.19.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Bug Fix
Release Note Text:

Hide
Before this update, a limitation prevented a certificate's validity from exceeding that of the signer. This impacted the localhost-recovery.kubeconfig file, as the node-system-admin-client certificate was incorrectly generated with a one-year lifespan instead of the intended two years, causing the premature expiration of the kubeconfig. With this release, the signer certificate's validity is exteneded to three years, ensuring the node-system-admin-client certificate now has a two-year lifespan. (link:https://issues.redhat.com/browse/OCPBUGS-60595[~~OCPBUGS-55783~~])

Show
Before this update, a limitation prevented a certificate's validity from exceeding that of the signer. This impacted the localhost-recovery.kubeconfig file, as the node-system-admin-client certificate was incorrectly generated with a one-year lifespan instead of the intended two years, causing the premature expiration of the kubeconfig. With this release, the signer certificate's validity is exteneded to three years, ensuring the node-system-admin-client certificate now has a two-year lifespan. (link: https://issues.redhat.com/browse/OCPBUGS-60595 [ OCPBUGS-55783 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-59527. The following is the description of the original issue:
—
Description of problem:

    Target cert validity cannot be longer than signer validity. As a result, node-system-admin-client cannot be issued for 2 years as node-system-admin-signer is valid for 1 year only.
Signer validity should be extended to 3 years (and refreshed at 2.5 years)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

Expected results:

Additional info:

clones

OCPBUGS-59527 Invalid target signer validity is preventing from issuing node-system-admin-client for 2 years

Verified

is blocked by

OCPBUGS-59527 Invalid target signer validity is preventing from issuing node-system-admin-client for 2 years

Verified

links to

openshift/cluster-kube-apiserver-operator#1897: [release-4.19] OCPBUGS-60495: certrotationcontroller: extend node-system-admin-signer lifetime

Assignee:: Vadim Rutkovsky

Reporter:: Vadim Rutkovsky

Need Info From:: None

Contributors:: None

QA Contact:: Ke Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/08/14 5:28 AM

Updated:: 2025/09/02 3:30 PM

Resolved:: 2025/09/02 3:30 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates