-
Bug
-
Resolution: Done
-
Major
-
DO380 - OCP4.14-en-1-20240220
-
None
-
False
-
-
False
-
1
-
ROLE
-
-
-
en-US (English)
Please fill in the following information:
| URL: | https://role.rhu.redhat.com/rol-rhu/app/courses/do380-4.14/pages/ch01s10 |
| Reporter RHNID: | rhn-support-ablum |
| Section Title: | Guided Exercise: Token and Client Certificate Authentication with kubeconfig files |
Issue description
The client certificate will never be valid for longer than the expiry of the CA that signs it. In this case, the CA is stored in the csr-signer secret in the openshift-kube-controller-manager project:
[student@workstation ~]$ oc extract secret/csr-signer n openshift-kube-controller-manager --to - | openssl x509 -in -noout -dates
- tls.crt
- tls.key
notBefore=Apr 19 17:47:33 2024 GMT
notAfter=May 19 17:47:34 2024 GMT
It's misleading to think that the CSR requested will result in a client certificate that expires in 365 days. At most, the client certificate signed this way will be 30 days expiry due to the rotation enforced and the csr-signer CA given above.
Steps to reproduce:
Complete the steps through 5.7 as given then:
[student@workstation test]$ oc get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
admin-backdoor-access 2s kubernetes.io/kube-apiserver-client admin 365d Pending
[student@workstation test]$ oc adm certificate approve admin-backdoor-access
[student@workstation test]$ oc get csr admin-backdoor-access o jsonpath='{.status.certificate}' | base64 -d | openssl x509 -in -noout -dates
notBefore=Apr 25 16:55:10 2024 GMT
notAfter=May 19 17:47:34 2024 GMT
Workaround:
It's not possible in OpenShift v4.14 to create a client certificate using the "kubernetes.io/kube-apiserver-client" signer for client auth to receive a certificate signed for longer than the CA (ie 30 days at most).
So, I'd recommend modifying the exercise to set an expirationSeconds for 5 days or some way shorter period.
SEE:
