Configuring certificate rotation

Configure certificate rotation parameters to replace existing certificates.

Configuring certificate rotation

You can do this during OKD Virtualization installation in the web console or after installation in the HyperConverged custom resource (CR).

Procedure

  1. Open the HyperConverged CR by running the following command:

    1. $ oc edit hco -n openshift-cnv kubevirt-hyperconverged

  2. Edit the spec.certConfig fields as shown in the following example. To avoid overloading the system, ensure that all values are greater than or equal to 10 minutes. Express all values as strings that comply with the golang ParseDuration format.

    1. apiVersion: hco.kubevirt.io/v1beta1
    2. kind: HyperConverged
    3. metadata:
    4.  name: kubevirt-hyperconverged
    5.  namespace: openshift-cnv
    6. spec:
    7.   certConfig:
    8.     ca:
    9.       duration: 48h0m0s
    10.       renewBefore: 24h0m0s (1)
    11.     server:
    12.       duration: 24h0m0s  (2)
    13.       renewBefore: 12h0m0s  (3)
    1The value of ca.renewBefore must be less than or equal to the value of ca.duration.
    2The value of server.duration must be less than or equal to the value of ca.duration.
    3The value of server.renewBefore must be less than or equal to the value of server.duration.

  3. Apply the YAML file to your cluster.

Troubleshooting certificate rotation parameters

Deleting one or more certConfig values causes them to revert to the default values, unless the default values conflict with one of the following conditions:

  • The value of ca.renewBefore must be less than or equal to the value of ca.duration.

  • The value of server.duration must be less than or equal to the value of ca.duration.

  • The value of server.renewBefore must be less than or equal to the value of server.duration.

If the default values conflict with these conditions, you will receive an error.

If you remove the server.duration value in the following example, the default value of 24h0m0s is greater than the value of ca.duration, conflicting with the specified conditions.

Example

  1. certConfig:
  2.    ca:
  3.      duration: 4h0m0s
  4.      renewBefore: 1h0m0s
  5.    server:
  6.      duration: 4h0m0s
  7.      renewBefore: 4h0m0s

This results in the following error message:

  1. error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration

The error message only mentions the first conflict. Review all certConfig values before you proceed.