operator-lifecycle-manager icon indicating copy to clipboard operation
operator-lifecycle-manager copied to clipboard

Published 20 hours ago verified publisher icon operator-framework

API serivce certificate rotation logic needs improvement

Open perdasilva opened this issue 3 years ago • 0 comments

The complete context can be seen in the bz. Essentially, if the package server pod get killed, the csv moves to a Failed states and progresses forward to Succeeded. During the InstallReady phase, the installer would not rotate the csv if the certificate has not expired yet. BUT, the csv status fields were still being updated, moving the rotatedAt out another 2 years. This creates skew between the certificate's rotation time and the what's in the csv status. However, the operator decides when to rotate the certificate based on the status.RotateAt. Which would in turn push out the rotation erroneously.

#2752 mitigates the issue. But the code needs refactoring.

perdasilva avatar Apr 29 '22 16:04 perdasilva