search

crc-org / snc

Single Node Cluster creation scripts for OpenShift 4.x as used by CodeReady Containers
https://crc.dev
Apache License 2.0
103 stars 50 forks source link

[4.16] Cert rotation not happening as expected for rc bits #904

Closed praveenkumar closed 5 months ago

praveenkumar commented 5 months ago

Even with our patched images the final bundle doesn't have proper cert rotation.

4.16.0-rc.3 bundle which created using patched image shows some certs which is not rotated properly . We need to check if our patched images have issue or we are missing something.

$ echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets --insecure-skip-tls-verify=true --kubeconfig /opt/kubeconfig -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t | grep 2024
NAMESPACE   NAME    EXPIRY
openshift-config-managed                          kube-controller-manager-client-cert-key             notAfter=Jun  10  12:16:07  2024  GMT
openshift-config-managed                          kube-scheduler-client-cert-key                      notAfter=Jun  10  12:16:30  2024  GMT
openshift-kube-apiserver-operator                 aggregator-client-signer                            notAfter=Jun  11  12:34:03  2024  GMT
openshift-kube-apiserver                          aggregator-client                                   notAfter=Jun  11  12:34:03  2024  GMT
openshift-kube-apiserver                          check-endpoints-client-cert-key                     notAfter=Jun  10  12:16:27  2024  GMT
openshift-kube-apiserver                          control-plane-node-admin-client-cert-key            notAfter=Jun  10  12:16:27  2024  GMT
openshift-kube-apiserver                          external-loadbalancer-serving-certkey               notAfter=Jun  10  12:16:07  2024  GMT
openshift-kube-apiserver                          internal-loadbalancer-serving-certkey               notAfter=Jun  10  12:16:20  2024  GMT
openshift-kube-apiserver                          kubelet-client                                      notAfter=Jun  10  12:16:07  2024  GMT
openshift-kube-apiserver                          localhost-serving-cert-certkey                      notAfter=Jun  10  12:16:07  2024  GMT
openshift-kube-apiserver                          service-network-serving-certkey                     notAfter=Jun  10  12:16:08  2024  GMT
openshift-kube-controller-manager                 kube-controller-manager-client-cert-key             notAfter=Jun  10  12:16:07  2024  GMT
openshift-kube-scheduler                          kube-scheduler-client-cert-key                      notAfter=Jun  10  12:16:30  2024  GMT
praveenkumar commented 5 months ago

I checked again with rc-4 bits and looks like now it is as expected, will create the bundle and then test with crc.

$ oc get co
NAME                                       VERSION       AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.16.0-rc.4   True        False         False      6m22s   
config-operator                            4.16.0-rc.4   True        False         False      24h     
console                                    4.16.0-rc.4   True        False         False      24h     
control-plane-machine-set                  4.16.0-rc.4   True        False         False      24h     
dns                                        4.16.0-rc.4   True        False         False      15m     
etcd                                       4.16.0-rc.4   True        False         False      24h     
image-registry                             4.16.0-rc.4   True        False         False      9m19s   
ingress                                    4.16.0-rc.4   True        False         False      24h     
kube-apiserver                             4.16.0-rc.4   True        False         False      24h     
kube-controller-manager                    4.16.0-rc.4   True        False         False      24h     
kube-scheduler                             4.16.0-rc.4   True        False         False      24h     
kube-storage-version-migrator              4.16.0-rc.4   True        False         False      24h     
machine-api                                4.16.0-rc.4   True        False         False      24h     
machine-approver                           4.16.0-rc.4   True        False         False      24h     
machine-config                             4.16.0-rc.4   True        False         False      24h     
marketplace                                4.16.0-rc.4   True        False         False      24h     
network                                    4.16.0-rc.4   True        False         False      24h     
openshift-apiserver                        4.16.0-rc.4   True        False         False      6m33s   
openshift-controller-manager               4.16.0-rc.4   True        False         False      9m51s   
openshift-samples                          4.16.0-rc.4   True        False         False      24h     
operator-lifecycle-manager                 4.16.0-rc.4   True        False         False      24h     
operator-lifecycle-manager-catalog         4.16.0-rc.4   True        False         False      24h     
operator-lifecycle-manager-packageserver   4.16.0-rc.4   True        False         False      18m     
service-ca                                 4.16.0-rc.4   True        False         False      24h     

$ echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t | grep 2024
NAMESPACE       NAME    EXPIRY
openshift-network-node-identity                   network-node-identity-cert                          notAfter=Dec  10  20:33:24  2024  GMT
openshift-operator-lifecycle-manager              pprof-cert                                          notAfter=Jun  13  09:00:26  2024  GMT
openshift-ovn-kubernetes                          ovn-cert                                            notAfter=Dec  10  20:33:15  2024  GMT
openshift-ovn-kubernetes                          signer-cert                                         notAfter=Dec  10  20:33:15  2024  GMT
adrianriobo commented 5 months ago

Closing this issue as we did not experience it again across several rc versions