Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3787

Expired certificates clean up from secret in RHOCP 4

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.13
    • kube-apiserver
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      Expired certificates must clean up from secret in RHOCP 4

      2. Why does the customer need this? (List the business requirements here)
      Customer have an alerting mechanism to indicate the certificates that are nearing expiry/expired certificates. And hence leaving the expired certificates causing false alerts. This can cause unnecessary confusion at the customer side.

      3. What is the nature and description of the request?
      Many expired certificates are still present in the cluster under secrets.
      Expired certificated should be deleted/clean up automatically from the OCP cluster.

      Steps to reproduce :
      1. oc project openshift-kube-apiserver
      2. oc get secrets
      3. echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='range .itemsif eq .type "kubernetes.io/tls".metadata.namespace" ".metadata.name" "index .data "tls.crt""\n"endend' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t 

      Actual result : There are many expired certs are still present in the cluster.
      Expected result : Expired certificated should be removed from the cluster automatically.

      Certificates listed with command `oc get secret` are present in the cluster from the date of cluster installation.
      Many certificates are already expired but not cleaned up from the cluster.

      Bugzilla has been raised for this issue in May 2022 : https://bugzilla.redhat.com/show_bug.cgi?id=2089888
      Jira has been opened for the same in Nov 2022 : https://issues.redhat.com/browse/OCPBUGS-3038

      It is suggested on the jira OCPBUGS-3038 to raise an RFE.
      Priority is set to Important as Customer is Nokia-NOM who are looking closely into this issue.

              wcabanba@redhat.com William Caban
              rhn-support-sdharma Suruchi Dharma
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: