-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
In https://issues.redhat.com/browse/OCPBUGS-50505, we identified that in-memory certificate expiration period in the following namespaces is 1 year, which doesn't meet the ELS term 2 period: - openshift-kube-apiserver - openshift-apiserver - oauth-apiserver Regarding the openshift-kube-apiserver namespace, we're extending the certificate expiration period from 1 year to 3 years in https://issues.redhat.com/browse/OCPBUGS-54208. The other namespaces need the same change. This is a ticket to request to extend the in-memory certificate expiration period from 1 year to 3 years in the oauth-apiserver namespace
Version-Release number of selected component (if applicable):
From OCP 4.14 to OCP 4.19
How reproducible:
Deploy a new OCP cluster with any version
Steps to Reproduce:
1. Deploy a new OCP clutser with any version 2. Check the in-memory certificate expiration date [quickcluster@upi-0 ~]$ oc rsh -n openshift-oauth-apiserver apiserver-77b4c89c66-757jg curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k|grep "Server certificate" -A 5 Defaulted container "oauth-apiserver" out of: oauth-apiserver, fix-audit-permissions (init) * Server certificate: * subject: CN=apiserver-loopback-client@1757383716 * start date: Sep 9 01:08:36 2025 GMT * expire date: Sep 9 01:08:36 2026 GMT * issuer: CN=apiserver-loopback-client-ca@1757383716 * SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
Actual results:
The certificate is valid within 1 year
Expected results:
The certificate is valid within 3 years
Additional info:
- duplicates
-
OCPBUGS-61759 In-memory certificate expiration date in openshift-apiserver namespace is too short for ELS term 2
-
- New
-
- relates to
-
OCPBUGS-50505 Identify in-memory certificates and ensure they are stored in secrets/on disk
-
- Closed
-