Old Secrets in "openshift-kube-*" namespace are not deleted by pruner

Solution Verified - Updated -

Issue

  • In a openshift-kube-* namespace, expired certificates in Secrets with the name serving-cert-* can be found even when the current revision is significantly higher:

    $ for i in $(oc get secrets -n openshift-kube-controller-manager | grep serving | awk '{print $1}'); do echo "certName: $i" && oc get secrets -n openshift-kube-controller-manager $i -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates -issuer -subject && echo ""; done
certName: serving-cert
notBefore=Feb 22 14:08:09 2024 GMT
notAfter=Feb 21 14:08:10 2026 GMT
issuer=CN = openshift-service-serving-signer@1674482820
subject=CN = kube-controller-manager.openshift-kube-controller-manager.svc

certName: serving-cert-2
notBefore=Jan 23 14:07:17 2023 GMT
notAfter=Jan 22 14:07:18 2025 GMT
issuer=CN = openshift-service-serving-signer@1674482820
subject=CN = kube-controller-manager.openshift-kube-controller-manager.svc
[..]

certName: serving-cert-33
notBefore=Feb 22 14:08:09 2024 GMT
notAfter=Feb 21 14:08:10 2026 GMT
issuer=CN = openshift-service-serving-signer@1674482820
subject=CN = kube-controller-manager.openshift-kube-controller-manager.svc
[..]

  • Why are old Secrets of old revisions not deleted?

Environment

  • Red Hat OpenShift Container Platform (OCP) 4.15

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content