Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2017415
| Summary: | [certificate renewal] ssp-operator-service-cert secret certificate is not updated according to HCO CR certconfig | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | ibesso <ibesso> |
| Component: | SSP | Assignee: | João Vilaça <jvilaca> |
| Status: | CLOSED MIGRATED | QA Contact: | Geetika Kapoor <gkapoor> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.9.0 | CC: | dholler, kmajcher, sgott, stirabos |
| Target Milestone: | --- | ||
| Target Release: | future | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-12-14 16:05:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: ---------------------- The certificate validity range does not conform to the values modified in the HCO CR (which are also propagated to CNAO CR). Version-Release number of selected component (if applicable): ------------------------------------------------------------ 4.9.0-249 How reproducible: ---------------- 100% Steps to Reproduce: ------------------ 1. Modify the HCO CR spec.certconfig to: { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } 2. run the command: $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout Actual results: -------------- 1. The notAfter is 2 years ahead of notBefore. 2. the notBefore is 1 day earlier from the current date. Expected results: ---------------- 1. The difference should have been 11 minutes. 2. notBefore should be today. Additional info: --------------- $ oc get hco kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certConfig' { "ca": { "duration": "11m", "renewBefore": "10m" }, "server": { "duration": "11m", "renewBefore": "10m" } } $ oc get kubevirt kubevirt-kubevirt-hyperconverged -n openshift-cnv -ojson |jq -C '.spec.certificateRotateStrategy.selfSigned' { "ca": { "duration": "11m0s", "renewBefore": "10m0s" }, "server": { "duration": "11m0s", "renewBefore": "10m0s" } } $ oc get secrets -n openshift-cnv ssp-operator-service-cert -ojson | jq -r '.data["tls.crt"]' | base64 -d | openssl x509 -dates -noout notBefore=Oct 25 10:10:02 2021 GMT notAfter=Oct 24 10:10:02 2023 GMT