Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-159

Auto removal of expired certificates from secrets [etcd, kube-apiserver, ocp-apiserver]

XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-714Provide Detailed Administrative Control of all OCP Certs and Keys
    • 0% To Do, 0% In Progress, 100% Done
    • M
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      OCP cert rotation process maintain previous expired certificates in the cluster. This triggers false positives on audit systems.

      Goals (aka. expected user outcomes)

      The feature is to do one or more of the followings:

      • automatically remove expired certificates
      • document a mechanism (e.g. CronJob) we can support for the customers to clean expired certificates Already covered by HATSTRAT-226
      • provide API on the corresponding operators or services to enable/disable the regular removal of expired certificates.

      Requirements (aka. Acceptance Criteria):

      List of certificates(secrets) that should have auto-cleanup or documented procedure for when customer needs to clean them:

      • kubelet-client
      • internal-loadbalancer-serving-certkey
      • service-network-serving-certkey
      • localhost-serving-cert-certkey
      • external-loadbalancer-serving-certkey
      • aggregator-client-signer
      • aggregator-client
      • kube-scheduler-client-cert-key
      • kube-controller-manager-client-cert-key
      • check-endpoints-client-cert-key
      • control-plane-node-admin-client-cert-key
      • csr-signer
      • pprof-cert (from openshift-operator-lifecycle-manager)
         

        Out of Scope

      • Any certs generate by an external entity (e.g. cert-manager)
      • Any certs that is not part of the core platform services

              racedoro@redhat.com Ramon Acedo
              wcabanba@redhat.com William Caban
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: