Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-61759

In-memory certificate expiration date in openshift-apiserver namespace is too short for ELS term 2

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z
    • openshift-apiserver
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      In https://issues.redhat.com/browse/OCPBUGS-50505, we identified that in-memory certificate expiration period in the following namespaces is 1 year, which doesn't meet the ELS term 2 period:
      
      - openshift-kube-apiserver
      - openshift-apiserver 
      - oauth-apiserver 
      
      Regarding the openshift-kube-apiserver namespace, we're extending the certificate expiration period from 1 year to 3 years in https://issues.redhat.com/browse/OCPBUGS-54208.
      
      The other namespaces need the same change.
      
      This is a ticket to request to extend the in-memory certificate expiration period from 1 year to 3 years in the openshift-apiserver namespace

      Version-Release number of selected component (if applicable):

      From OCP 4.14 to OCP 4.19

      How reproducible:

      Deploy a new OCP cluster with any version

      Steps to Reproduce:

      1. Deploy a new OCP clutser with any version
      2. Check the in-memory certificate expiration date 
      
      [quickcluster@upi-0 ~]$ oc rsh -n openshift-apiserver apiserver-6cfcf7c8bf-7jgvc curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k|grep "Server certificate" -A 5
      Defaulted container "openshift-apiserver" out of: openshift-apiserver, openshift-apiserver-check-endpoints, fix-audit-permissions (init)
      * Server certificate:
      *  subject: CN=apiserver-loopback-client@1757384300
      *  start date: Sep  9 01:18:19 2025 GMT
      *  expire date: Sep  9 01:18:19 2026 GMT
      *  issuer: CN=apiserver-loopback-client-ca@1757384299
      *  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

      Actual results:

      The certificate is valid within 1 year

      Expected results:

      The certificate is valid within 3 years

      Additional info:

       

       

              Unassigned Unassigned
              rhn-support-yatanaka Yamato Tanaka
              None
              None
              Rahul Gangwar Rahul Gangwar
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: