Details
Description
1. Proposed title of this feature request
Ability to configure the "--cluster-signing-duration" value in the "kubecontrollermanagers.operator.openshift.io.spec/cluster" to change the default certificate duration of the requested Certificates.
2. What is the nature and description of the request?
At this moment the value is set to 720h (30 days) and can't be overridden in CSR with .spec.expirationSeconds due to the default value is always lowest value of those 2, so if you want to get certificates valid for 1 year, it will be set to 30 days only.
The proposition is to add the configurable value to the "kubecontrollermanagers.operator.openshift.io.spec/cluster" for specific signer type (e.g. kubernetes.io/kube-apiserver-client) to be able to request certificate valid for more than 30 days.
3. Why does the customer need this? (List the business requirements here)
Needed when requesting new kubeconfig for "system:admin", to have valid kubeconfig for more than 1 year.
4. List any affected packages or components.
- kube controller manager
- certificates.k8s.io/v1
- certificate signer
As alternative proposition could be way to override the default certificate duration defined by "--cluster-signing-duration" flag with "spec.expirationDuration" in CSR request.
Doc Info:
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/