Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-77057

[Docs] The etcd CA certificate is valid for 5 years instead of 10 years.

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.21
    • Documentation / etcd
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Low
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The etcd CA certificate is valid for 5 years instead of 10 years.
      
      https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/certificate-types-and-descriptions#expiration-6
      
      --> The CA certificates are valid for 10 years. The peer, client, and server certificates are valid for three years.
      
      The related code:
      
      https://github.com/openshift/cluster-etcd-operator/blob/main/pkg/tlshelpers/tlshelpers.go#L31-L34
      
       EtcdCertValidity          = 3 * 365 * 24 * time.Hour
       EtcdCertValidityRefresh   = 2.2 * 365 * 24 * time.Hour
       EtcdCaCertValidity        = 5 * 365 * 24 * time.Hour
       EtcdCaCertValidityRefresh = 4.2 * 365 * 24 * time.Hour

              kowen@redhat.com Kevin Owen
              rhn-support-yhe Yiyong He
              Ge Liu Ge Liu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: