Feature Overview (aka. Goal Summary)  

OCP cert rotation process maintain previous expired certificates in the cluster. This triggers false positives on audit systems.

Goals (aka. expected user outcomes)

The feature is to do one or more of the followings:

• automatically remove expired certificates
• document a mechanism (e.g. CronJob) we can support for the customers to clean expired certificates Already covered by HATSTRAT-226
• provide API on the corresponding operators or services to enable/disable the regular removal of expired certificates.

Requirements (aka. Acceptance Criteria):

List of certificates(secrets) that should have auto-cleanup or documented procedure for when customer needs to clean them:

• kubelet-client
• internal-loadbalancer-serving-certkey
• service-network-serving-certkey
• localhost-serving-cert-certkey
• external-loadbalancer-serving-certkey
• aggregator-client-signer
• aggregator-client
• kube-scheduler-client-cert-key
• kube-controller-manager-client-cert-key
• check-endpoints-client-cert-key
• control-plane-node-admin-client-cert-key
• csr-signer
• pprof-cert (from openshift-operator-lifecycle-manager)
   

  Out of Scope

• Any certs generate by an external entity (e.g. cert-manager)
• Any certs that is not part of the core platform services