In RHOCP 3.11 when are new CertificateSigningRequest(CSR)s generated for the nodes ?

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform
    • 3.11

Issue

  • Node certificates were not auto-renewed and the cluster nodes went in NotReady State. Manual intervention was required to get the nodes back in Running state.
  • To avoid the this problem, can one create node CSR few days before expiry or know the date when new CSRs will be generated automatically?

Resolution

  • By default, kubelet will request the Certificate Signing Requests CSRs in between 105 and 35 days before expiration.
  • One can check the code about same.

OR

  • To know the expiry of certificates and when the kubelet will request the next CSRs, check the atomic-openshift-node logs on the respective nodes using below command:
$ journalctl -u atomic-openshift-node | grep certificate_manager.go

Jul 12 09:57:50 master1.example.com atomic-openshift-node[23965]: I0712 09:57:50.193658   23965 certificate_manager.go:216] Certificate rotation is enabled.
Jul 12 09:57:50 master1.example.com atomic-openshift-node[23965]: I0712 09:57:50.193931   23965 certificate_manager.go:360] Certificate expiration is 2022-07-11 22:38:00 +0000 UTC, rotation deadline is 2022-05-28 23:57:20.867036872 +0000 UTC

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments