Skip to content

OCPBUGS-63532: UPSTREAM: <carry>: extend loopback certificate validity to three years #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: openshift-apiserver-4.18-kubernetes-1.31.1
Choose a base branch
from
Open

OCPBUGS-63532: UPSTREAM: <carry>: extend loopback certificate validity to three years #74

wants to merge 1 commit into from

Conversation

@everettraven
Copy link

@everettraven everettraven commented Oct 23, 2025
edited
Loading

Updates the loopback certificate generation logic to extend the certificate validity to three years as a basis to fix both https://issues.redhat.com/browse/OCPBUGS-61760 and https://issues.redhat.com/browse/OCPBUGS-61759.

Verified by:

Manually verified using the steps in the bug against a cluster bot cluster launched with all three PRs.

openshift-apiserver certificate:

$> oc rsh -n openshift-apiserver apiserver-bb69ccd98-bncq5 curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k | grep "Server certificate" -A 5

Defaulted container "openshift-apiserver" out of: openshift-apiserver, openshift-apiserver-check-endpoints, fix-audit-permissions (init)
* Server certificate:
*  subject: CN=apiserver-loopback-client@1761308522
*  start date: Oct 24 11:22:02 2025 GMT
*  expire date: Oct 24 11:22:02 2028 GMT
*  issuer: CN=apiserver-loopback-client-ca@1761308522
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

oauth-apiserver certificate:

$>  oc rsh -n openshift-oauth-apiserver apiserver-5b55966fc5-gkf6k curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k | grep "Server certificate" -A 5

Defaulted container "oauth-apiserver" out of: oauth-apiserver, fix-audit-permissions (init)
* Server certificate:
*  subject: CN=apiserver-loopback-client@1761308234
*  start date: Oct 24 11:17:14 2025 GMT
*  expire date: Oct 24 11:17:14 2028 GMT
*  issuer: CN=apiserver-loopback-client-ca@1761308234
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

@openshift-ci openshift-ci bot requested review from deads2k and tkashem October 23, 2025 17:24
benluddy
benluddy reviewed Oct 23, 2025
View reviewed changes
pkg/server/options/client-go-certutil-copy.go Outdated
CertificateRequestBlockType = "CERTIFICATE REQUEST"
)

// ---------------------------------------------------------------------------------------
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// ---------------------------------------------------------------------------------------

pkg/server/options/serving_with_loopback.go Outdated
Comment on lines 53 to 62
//
// NOTE: As part of the work to resolve https://issues.redhat.com/browse/OCPBUGS-61760
// and https://issues.redhat.com/browse/OCPBUGS-61759 it was decided that copying
// the loopback certification creation utility function to a local
// utility function would save significant effort over cherry-picking
// the fix from https://github.com/kubernetes/kubernetes/pull/130047 to
// https://github.com/openshift/kubernetes-client-go .
// We don't expect to backport many changes on top of this and it seemed
// lower risk than switching impacted modules to our fork of client-go.
certPem, keyPem, err := GenerateSelfSignedCertKey(server.LoopbackClientServerNameOverride, nil, nil)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe keep the full explanation in the new file and leave an end-of-line comment here (like "use forked GenerateSelfSignedCertKey with extended expiry"), to minimize the diff surface for future rebases?

pkg/server/options/client-go-certutil-copy.go Outdated
Comment on lines 17 to 24
// NOTE: As part of the work to resolve https://issues.redhat.com/browse/OCPBUGS-61760
// and https://issues.redhat.com/browse/OCPBUGS-61759 it was decided that copying
// the loopback certification creation utility function to a local
// utility function would save significant effort over cherry-picking
// the fix from https://github.com/kubernetes/kubernetes/pull/130047 to
// https://github.com/openshift/kubernetes-client-go .
// We don't expect to backport many changes on top of this and it seemed
// lower risk than switching impacted modules to our fork of client-go.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much more significant than the effort of backporting that change separately is that we'd also need to make all aggregated API servers start using that client-go fork. Unlike the fork of the apiserver module, almost nothing depends on a client-go fork (https://github.com/search?q=org%3Aopenshift+openshift%2Fkubernetes-client-go+language%3A%22Go+Module%22&type=code&l=Go+Module).

Let's be clear at the top as well that the only diff we expect in GenerateSelfSignedCertKeyWithFixtures vs. client-go's v1.31.1 source is the maxAge line. I just verified it myself:

-// GenerateSelfSignedCertKeyWithFixtures creates a self-signed certificate and key for the given host.
-// Host may be an IP or a DNS name. You may also specify additional subject alt names (either ip or dns names)
-// for the certificate.
-//
-// If fixtureDirectory is non-empty, it is a directory path which can contain pre-generated certs. The format is:
-// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.crt
-// <host>_<ip>-<ip>_<alternateDNS>-<alternateDNS>.key
-// Certs/keys not existing in that directory are created.
 func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, alternateDNS []string, fixtureDirectory string) ([]byte, []byte, error) {
 	validFrom := time.Now().Add(-time.Hour) // valid an hour earlier to avoid flakes due to clock skew
-	maxAge := time.Hour * 24 * 365          // one year self-signed certs
+
+	// NOTE: Modified from the original of 1 year to 3 years to fix
+	// - https://issues.redhat.com/browse/OCPBUGS-61760
+	// - https://issues.redhat.com/browse/OCPBUGS-61759
+	// Achieves the same result as the upstream change in https://github.com/kubernetes/kubernetes/pull/130047
+	maxAge := time.Hour * 24 * (3*365 + 1) // three year self-signed certs
 
 	baseName := fmt.Sprintf("%s_%s_%s", host, strings.Join(ipsToStrings(alternateIPs), "-"), strings.Join(alternateDNS, "-"))
 	certFixturePath := filepath.Join(fixtureDirectory, baseName+".crt")
@@ -228,3 +181,12 @@
 	}
 	return ss
 }

@everettraven everettraven force-pushed the bugfix/loopback-cert-3years-4.18 branch 2 times, most recently from 5cdf722 to 158711c Compare October 24, 2025 12:20
@everettraven everettraven changed the title UPSTREAM: <carry>: extend loopback certificate validity to three years OCPBUGS-63532: UPSTREAM: <carry>: extend loopback certificate validity to three years Oct 24, 2025
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Oct 24, 2025
@openshift-ci-robot
Copy link

@everettraven: This pull request references Jira Issue OCPBUGS-63532, which is invalid:

  • expected Jira Issue OCPBUGS-63532 to depend on a bug in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Updates the loopback certificate generation logic to extend the certificate validity to three years as a basis to fix both https://issues.redhat.com/browse/OCPBUGS-61760 and https://issues.redhat.com/browse/OCPBUGS-61759.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

@everettraven: This pull request references Jira Issue OCPBUGS-63532, which is invalid:

  • expected dependent Jira Issue OCPBUGS-63482 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Updates the loopback certificate generation logic to extend the certificate validity to three years as a basis to fix both https://issues.redhat.com/browse/OCPBUGS-61760 and https://issues.redhat.com/browse/OCPBUGS-61759.

Verified by:

Manually verified using the steps in the bug against a cluster bot cluster launched with all three PRs.

openshift-apiserver certificate:

$> oc rsh -n openshift-apiserver apiserver-bb69ccd98-bncq5 curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k | grep "Server certificate" -A 5

Defaulted container "openshift-apiserver" out of: openshift-apiserver, openshift-apiserver-check-endpoints, fix-audit-permissions (init)
* Server certificate:
*  subject: CN=apiserver-loopback-client@1761308522
*  start date: Oct 24 11:22:02 2025 GMT
*  expire date: Oct 24 11:22:02 2028 GMT
*  issuer: CN=apiserver-loopback-client-ca@1761308522
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

oauth-apiserver certificate:

$>  oc rsh -n openshift-oauth-apiserver apiserver-5b55966fc5-gkf6k curl --resolve apiserver-loopback-client:8443:127.0.0.1 https://apiserver-loopback-client:8443 -v -k | grep "Server certificate" -A 5

Defaulted container "oauth-apiserver" out of: oauth-apiserver, fix-audit-permissions (init)
* Server certificate:
*  subject: CN=apiserver-loopback-client@1761308234
*  start date: Oct 24 11:17:14 2025 GMT
*  expire date: Oct 24 11:17:14 2028 GMT
*  issuer: CN=apiserver-loopback-client-ca@1761308234
*  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@everettraven
UPSTREAM: <carry>: extend loopback certificate validity to three years
c36d827 
Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
@everettraven everettraven force-pushed the bugfix/loopback-cert-3years-4.18 branch from 158711c to c36d827 Compare October 24, 2025 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@tkashem tkashem Awaiting requested review from tkashem

1 more reviewer

@benluddy benluddy benluddy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@everettraven @openshift-ci-robot @benluddy