Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove "certs expire in 7 days" messages #848

Closed
cfergeau opened this issue Nov 26, 2019 · 3 comments
Closed

Remove "certs expire in 7 days" messages #848

cfergeau opened this issue Nov 26, 2019 · 3 comments

Comments

@cfergeau
Copy link
Contributor

OpenShift 4.2 will automatically regenerate the certificates when they are close to expire. For example with the 1.1.0/4.2.2 release, the certs were initially valid until Nov 29 08:35:04 2019 GMT.
When running crc start, the certs are renewed after just a few minutes for one more month: Dec 26 16:04:50 2019 GMT.
I check this using openssl s_client api.crc.testing:6443 |openssl x509 --noout -dates
However, even with a certificate valid for one more month, when running crc stop && crc start, I'm still getting a warning that the certificates are about to expire.
This is because the certificates used for api.crc.testing are coming from /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/ while we check certificates from /var/lib/kubelet/pki/
@praveenkumar
Copy link
Member

@cfergeau Can we use #689 on for that?

I check this using openssl s_client api.crc.testing:6443 |openssl x509 --noout -dates
However, even with a certificate valid for one more month, when running crc stop && crc start, I'm still getting a warning that the certificates are about to expire.
This is because the certificates used for api.crc.testing are coming from /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/external-loadbalancer-serving-certkey/ while we check certificates from /var/lib/kubelet/pki/

Since we delete /var/lib/kubelet/pki when run the regeneration step, when we start kubelet again then it should be recreated automatic so this location should be correct.

@cfergeau
Copy link
Contributor Author

cfergeau commented Nov 26, 2019
edited

Since we delete /var/lib/kubelet/pki when run the regeneration step, when we start kubelet again then it should be recreated automatic so this location should be correct.
I am talking about a scenario when the certificates haven't expired yet, so our cert regeneration code does not run. It is openshift itself which decides to renew them when they are close to expiration time (a few days before?).

In the 4.2.2 cluster I'm looking at

$ sudo openssl x509 -in ./kubelet-client-current.pem
notBefore=Nov 26 15:56:00 2019 GMT
notAfter=Nov 30 03:21:52 2019 GMT

crc code is certExpiryDateCmd := 'date --date="$(sudo openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -enddate | cut -d= -f 2)" --iso-8601=seconds'
which means:

  • the kubelet-client-current.pem was rotated
  • this certificate only has a 4 day validity, so our warning on start will always trigger, but I'm not sure this will cause actual issues.

@cfergeau
Copy link
Contributor Author

@cfergeau Can we use #689 on for that?

Yep, I was thinking this would make that pull request obsolete if we remove the code instead of refactoring it :)

@cfergeau cfergeau mentioned this issue Nov 26, 2019
Closed
cfergeau added a commit to cfergeau/crc that referenced this issue Nov 27, 2019
@cfergeau
Issue crc-org#848: Remove '7 days' check/warnings
896e90e 
With OpenShift 4.2.2, when the cluster is started close to the cert
expiry date (I tried a few days before), the certificates will be
automatically renewed a few minutes after the cluster starts, so we no
longer need to warn the user about it.

This fixes crc-org#848
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@praveenkumar @cfergeau