Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Done
Priority: Minor
Fix Version/s: None
Affects Version/s: None
Component/s: API, etcd, User Interface
Labels:
- sb_candidate

Blocked:
False
Ready:
False
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%
Release Note Text:
Undefined
Market:
PX Impact Score:
PX Priority Data:

SFDC Cases Counter:
SFDC Cases Links:

1. Proposed title of this feature request

Display Cluster CA Cert Expiry and Button to Force Cert Rotation in the OpenShift Web Console

2. What is the nature and description of the request?

As a customer and an administrator of an OpenShift cluster, I want to clear understanding of when a CA cert expiry and rotation events are going to take place, and a simple and supported way to force rotation (with/without subsequent reboot) during my own maintenance schedules. This option should be presented as a button in the console, in the same way the upgrade button works.

Without this, I am at the mercy of the apiserver-operator and its pre-defined schedule of cert rotation at 80% of the the cert lifetime (to which we have no visibility - however is something that is calculable). Even with the existing work being done (due to customer demand) to prevent node reboots by the MCO, I, as an administrator still need to have awareness of the inner workings at cert mechanics of my cluster to work around it.

3. Why does the customer need this? (List the business requirements here)

Cert rotations and node reboots are disruptive for customers, even when we preach that properly architecture cloud native application applications should survive these operations, there are countless reasons customers do not wish for maintenance operations such as cert rotation and node reboots to be managed by the cluster. See number of linked cases here.

The product is working to incorporate the standard procedure to force cert rotatation use by OSD SREs into the documentation, at the request of our top tier customers. This is a step in the right direction for cluster administrators who are already aware of these background cluster events and wish to pre-empt them, however this does little to help the class of cluster administrators who do not have that experience or knowledge. Not exposing this information in the cluster console continues to risk these background operations being disruptive for customers, and they learn the hard way once then have cluster/application outages, then dependent on RH support of consulting to help.

4. List any affected packages or components.

Web Console

is duplicated by

RFE-4269 [CEE.neXT]Trigger alert when ingress certificate is about to be expired

Under Review

is related to

RFE-4676 [CEE.NeXT]Notify/Display the list of certs which expires in next 30 days on OCP console

Backlog

RFE-1255 Customer need an alert, when the kube-apiserver-to-kubelet-signer rotated and machine reboot

Accepted

links to

KCS 5319661: How to manually rotate apiserver certificate

KCS 5441521: How to create a custom alert to monitor kube-apiserver-to-kubelet-signer certificate expiration

RFE for displaying the cert on openshift console

(1 links to)

Assignee:: William Caban

Reporter:: Timothy Rees

Votes:: 1 Vote for this issue

Watchers:: 17 Start watching this issue

Created:: 2021/07/09 5:27 PM

Updated:: 2023/10/27 11:11 AM

Resolved:: 2023/03/14 7:51 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates