Closed kinderyj closed 3 years ago
@kinderyj Could you please confirm this solution working on Kubernetes. Reason being same solution I was using but when I describe crt. It is still 30days. In order to check kubectl get secret webhook-server-cert -n flink-operator-system -o yaml Copy the tls.crt content and decode it echo "---crt----" | base64 -d > webhook.crt When you open this webhook,crt file. You will see expiry still 30days. Though your command is correct
@kinderyj Could you please confirm this solution working on Kubernetes. Reason being same solution I was using but when I describe crt. It is still 30days. In order to check kubectl get secret webhook-server-cert -n flink-operator-system -o yaml Copy the tls.crt content and decode it echo "---crt----" | base64 -d > webhook.crt When you open this webhook,crt file. You will see expiry still 30days. Though your command is correct
My test steps:
In Nov 18, changed the args -days to 1 and installed the flink-operator by helm chart. openssl x509 -days 1 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem
kubectl get secret webhook-server-cert -n flink-operator-system -o yaml
Copy the tls.crt content and base64 to a new file, such as webhook.crt echo "tls.crt content......" | base64 -d > webhook.crt
decode: openssl x509 -noout -text -in webhook.crt
The result is as below
You can see the Not Before is Nov 18 and Not After is Nov 19, only 1 day, it seems work.
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
xxxxx
Signature Algorithm: xxxxxx
Issuer: CN=Admission Controller Webhook CA
Validity
Not Before: Nov 18 08:41:18 2020 GMT
Not After : Nov 19 08:41:18 2020 GMT
Subject: CN=flink-operator-webhook-service.flink-operator-system.svc
......
In Nov 19, I tried to create flink operator and reproduced the issue 355.
Changed the args -days to 3650 and repeat the steps above, the Validity is as below, it's 10 years.
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
xxxxx
Signature Algorithm: xxx
Issuer: CN=Admission Controller Webhook CA
Validity
Not Before: Nov 24 14:20:29 2020 GMT
Not After : Nov 22 14:20:29 2030 GMT
........
/gcbrun
Fix the issue 356
We should make the expire days longer, the default expires days is 30, we change it to 3650.