Maintenance Windows for Cert Renewal not working
Environment
- Red Hat AMQ Streams (AMQ Stream)
- 2.0
- Red Hat OpenShift Container Platform (RHOCP)
- 4.7
Issue
- A restart of User Operator causes renewal of user certificate in KafkaUser secret avoiding maintenance Window
Resolution
To prevent the User-operator restart follow AMQ Streams minimum sizing guide for an OpenShift development environment.
A new feature enhancement is open with the Jira Issue ENTMQST-3841 and should be fixed in 2.2.0.GA.
Root Cause
The maintenance window covers only CA renewals. It does not cover any renewals of user certificates in the User Operator.
Diagnostic Steps
Checking the namespace events is possible to see Liveness probe failed on the user-operator:
"2022-02-22T11:02:25Z spec.containers{user-operator} Unhealthy 12 Liveness probe failed: Get \"http://a.b.c.d:8081/healthy\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
and checking the user certificate :
reports/secrets$ cat testuser.yaml | sed 's/*//g' | yq '.data["user.crt"]' | sed 's/"//g' | base64 -d | openssl x509 -noout -startdate -enddate
notBefore=Feb 22 11:05:04 2022 GMT
notAfter=Jun 22 11:05:04 2022 GMT
a renewal of the user certificate has been triggered.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments