Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: openshift-4.12, openshift-4.14, openshift-4.16, openshift-4.18
Component/s: oauth-server, openshift-apiserver
Labels:
- telco-5g
- telco-5g-core

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

Automatic renewal of loopback certificates used by apiserver pods in openshift-oauth-apiserver and openshift-apiserver namespaces without requiring pod restarts.

2. What is the nature and description of the request?

The customer is requesting a feature that enables automatic renewal of loopback certificates used by the apiserver pods in the openshift-oauth-apiserver and openshift-apiserver namespaces, without requiring manual pod restarts.

Currently, the apiserver pods in these namespaces continue running with loopback certificates that are valid for one year (as per OpenShift 4.12). When these certificates expire, critical operations such as oc login fail, resulting in operational disruptions. The only known workaround is to manually restart the apiserver pods prior to certificate expiration to trigger regeneration of the loopback certificates.

The requested enhancement is to ensure that loopback certificates are automatically rotated and reloaded within the running pods, similar to other certificate management mechanisms in OpenShift.

This RFE is related to the case(https://access.redhat.com/support/cases/#/case/03989408)

3. Why does the customer need this? (List the business requirements here)

KDDI, a major telecom customer of Samsung, operates OpenShift environments where the openshift-apiserver and openshift-oauth-apiserver pods have been running continuously for over a year. Due to the use of loopback certificates with a 1-year validity, there is a risk that these certificates will expire, which would prevent administrative actions such as oc login, potentially resulting in significant service outages.

The customer requires a solution that ensures continuous and reliable access to the cluster without the need for manual intervention. This feature would help minimize operational risks, improve cluster availability, and align with telecom-grade reliability expectations.

4. List any affected packages or components.

openshift-apiserver

openshift-oauth-apiserver

Loopback certificates issued and used by these components

Certificate rotation and renewal mechanism in OpenShift control plane

Assignee:: Ramon Acedo

Reporter:: ByoungHee Lee

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/07/24 12:29 AM

Updated:: 2025/10/10 9:57 AM

Target start:: None

Target end:: None

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates