-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In https://issues.redhat.com/browse/OCPBUGS-50505, we identified that in-memory certificate expiration period in the following namespaces is 1 year, which doesn't meet the ELS term 2 period: - openshift-kube-apiserver - openshift-apiserver - oauth-apiserver Regarding the openshift-kube-apiserver namespace, we're extending the certificate expiration period from 1 year to 3 years in https://issues.redhat.com/browse/OCPBUGS-54208. The other namespaces need the same change. This is a ticket to request to extend the in-memory certificate expiration period from 1 year to 3 years in the openshift-apiserver namespace
Version-Release number of selected component (if applicable):
From OCP 4.14 to OCP 4.19
How reproducible:
Deploy a new OCP cluster with any version
Steps to Reproduce:
1. Deploy a new OCP clutser with any version 2. Check the in-memory certificate expiration date [quickcluster@upi-0 ~]$ oc rsh -n openshift-apiserver apiserver-6cfcf7c8bf-7jgvc curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k|grep "Server certificate" -A 5 Defaulted container "openshift-apiserver" out of: openshift-apiserver, openshift-apiserver-check-endpoints, fix-audit-permissions (init) * Server certificate: * subject: CN=apiserver-loopback-client@1757384300 * start date: Sep 9 01:18:19 2025 GMT * expire date: Sep 9 01:18:19 2026 GMT * issuer: CN=apiserver-loopback-client-ca@1757384299 * SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
Actual results:
The certificate is valid within 1 year
Expected results:
The certificate is valid within 3 years
Additional info:
- is duplicated by
-
OCPBUGS-61760 In-memory certificate expiration date in oauth-apiserver namespace is too short for ELS term 2
-
- New
-
- relates to
-
OCPBUGS-50505 Identify in-memory certificates and ensure they are stored in secrets/on disk
-
- Closed
-