-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
4.13
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
1. Proposed title of this feature request
Expired certificates must clean up from secret in RHOCP 4
2. Why does the customer need this? (List the business requirements here)
Customer have an alerting mechanism to indicate the certificates that are nearing expiry/expired certificates. And hence leaving the expired certificates causing false alerts. This can cause unnecessary confusion at the customer side.
3. What is the nature and description of the request?
Many expired certificates are still present in the cluster under secrets.
Expired certificated should be deleted/clean up automatically from the OCP cluster.
Steps to reproduce :
1. oc project openshift-kube-apiserver
2. oc get secrets
3. echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='range .itemsif eq .type "kubernetes.io/tls".metadata.namespace" ".metadata.name" "index .data "tls.crt""\n"endend' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -tÂ
Actual result : There are many expired certs are still present in the cluster.
Expected result : Expired certificated should be removed from the cluster automatically.
Certificates listed with command `oc get secret` are present in the cluster from the date of cluster installation.
Many certificates are already expired but not cleaned up from the cluster.
Bugzilla has been raised for this issue in May 2022 : https://bugzilla.redhat.com/show_bug.cgi?id=2089888
Jira has been opened for the same in Nov 2022 : https://issues.redhat.com/browse/OCPBUGS-3038
It is suggested on the jira OCPBUGS-3038 to raise an RFE.
Priority is set to Important as Customer is Nokia-NOM who are looking closely into this issue.
- account is impacted by
-
OCPBUGS-3038 Expired certificates are not cleaned up from secret in RHOCP 4
- Closed
- is incorporated by
-
OCPSTRAT-159 Auto removal of expired certificates from secrets [etcd, kube-apiserver, ocp-apiserver]
- Closed
- relates to
-
OCPBUGS-3038 Expired certificates are not cleaned up from secret in RHOCP 4
- Closed