Skip to content

Configuring certificate rotation

Configure certificate rotation parameters to replace existing certificates.

Configuring certificate rotation

You can do this during OpenShift Virtualization installation in the web console or after installation in the HyperConverged custom resource (CR).

Prerequisites

  • You have installed the OpenShift CLI (oc).

Procedure

  1. Open the HyperConverged CR by running the following command:

    $ oc edit hyperconverged kubevirt-hyperconverged -n openshift-cnv

  2. Edit the spec.certConfig fields as shown in the following example. To avoid overloading the system, ensure that all values are greater than or equal to 10 minutes. Express all values as strings that comply with the golang ParseDuration format.

    apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  certConfig:
    ca:
      duration: 48h0m0s
      renewBefore: 24h0m0s
    server:
      duration: 24h0m0s
      renewBefore: 12h0m0s

    • The value of ca.renewBefore must be less than or equal to the value of ca.duration.

    • The value of server.duration must be less than or equal to the value of ca.duration.

    • The value of server.renewBefore must be less than or equal to the value of server.duration.

  3. Apply updates to the HyperConverged CR by running the following command:

    $ oc apply -f <filename>.yaml

    For example:

    $ oc apply -f kubevirt-hyperconverged.yaml

Troubleshooting certificate rotation parameters

Deleting one or more certConfig values in the HyperConverged custom resource (CR) causes the certConfig values to revert to the default values.

If the default values conflict with one of the following conditions, you receive an error message instead:

  • The value of ca.renewBefore must be less than or equal to the value of ca.duration.

  • The value of server.duration must be less than or equal to the value of ca.duration.

  • The value of server.renewBefore must be less than or equal to the value of server.duration.

For example, if you remove the server.duration value, the default value of 24h0m0s is greater than the value of ca.duration, which conflicts with the specified conditions:

apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
spec:
  # ...
  certConfig:
    ca:
      duration: 4h0m0s
      renewBefore: 1h0m0s
    server:
      duration: 4h0m0s
      renewBefore: 4h0m0s
# ...

This results in the following error message:

error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration

The error message only mentions the first conflict. Review all certConfig values before you proceed.