In RHOCP 3.11 when are new CertificateSigningRequest(CSR)s generated for the nodes ?
Environment
- Red Hat OpenShift Container Platform
- 3.11
Issue
Node certificates
were notauto-renewed
and the cluster nodes went inNotReady
State. Manual intervention was required to get the nodes back inRunning
state.- To
avoid
the this problem, can one create node CSR fewdays before expiry
or know the date when new CSRs will be generatedautomatically
?
Resolution
- By default,
kubelet
will request the Certificate Signing RequestsCSRs
in between105
and35
daysbefore expiration
. - One can check the code about same.
OR
- To know the
expiry of certificates
and when the kubelet will request thenext CSRs
, check theatomic-openshift-node
logs on the respective nodes using below command:
$ journalctl -u atomic-openshift-node | grep certificate_manager.go
Jul 12 09:57:50 master1.example.com atomic-openshift-node[23965]: I0712 09:57:50.193658 23965 certificate_manager.go:216] Certificate rotation is enabled.
Jul 12 09:57:50 master1.example.com atomic-openshift-node[23965]: I0712 09:57:50.193931 23965 certificate_manager.go:360] Certificate expiration is 2022-07-11 22:38:00 +0000 UTC, rotation deadline is 2022-05-28 23:57:20.867036872 +0000 UTC
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments