Can recert be used instead of using patch openshift operators?

[cfergeau]

We currently patch 2 openshift operators in order to get certificates with 1 year validity. The recert tool has an option to extend the lifetime of a cluster certificate https://github.com/rh-ecosystem-edge/recert/blob/18d3284fa05747d6fb840b416bdcb7213dfa13a0/src/config/cli.rs#L185-L188 maybe it could be used instead of our patched operators. I have some memories of openshift components rejecting certs valid for more than a month, but I don't know if this is still the case on newer openshift versions.

recert also has options to change the pull secret, the kubeadmin password, ... It can do this while kubelet is not running, and does its best to ensure costly container recreations will not be needed to use the new config, it could also be useful to look if this can be used to replace some crc code in a more efficient way (ie faster cluster startup)

[adrianriobo]

FWIW not sure if this could fit our current flow on generate / regenerate certs, but I though first time I saw recert you can pass a Root CA and it will generate certificates from it.

This feature is specially interesting on some strict environments were that is a requirement, not sure if an option when running snc to create the bundle (meaning if you pass a Root CA certs on the bundle will have it as Root) or as you said this could even be used on startup of the machine (crc start) before kubelet is started???

[praveenkumar]

https://github.com/crc-org/crc/issues/3893 we created this sometime back so may be we need to revisit.

[cfergeau]

Ah I knew it existed somewhere, thanks!