Skip to content

MCO & Node 4.19 Release Notes #92358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 15 commits into
base: enterprise-4.19
Choose a base branch
from
Open
10 changes: 10 additions & 0 deletions release_notes/ocp-4-19-release-notes.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,16 @@ Starting in {product-title} 4.14, Extended Update Support (EUS) is extended to t
[id="ocp-release-notes-machine-config-operator_{context}"]
=== Machine Config Operator

[id="ocp-release-notes-machine-config-operator-cert-changes_{context}"]
==== Changes to the Machine Config Operator
The Machine Config Server (MCS) CA bundle created by the installation program is now stored in the `machine-config-server-ca` config map in the `openshift-machine-config-operator` namespace. The bundle was previously stored in the `root-ca` configmap in the `kube-system namespace`. The `root-ca` configmap is no longer used in a cluster that cluster upgrades to {product-title} {product-version}. This change was made to make it clear that this CA bundle is managed by the Machine Config Operator (MCO).

The MCS signing key is stored in the `machine-config-server-ca` secret in the `openshift-machine-config-operator` namespace.

The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.
The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon upgrade to {product-title} {product-version}, the CA signing key is not present. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period.

On installation to 4.19, all artifacts are present, so no immediate rotation should take place. On upgrades to 4.19, we can still expect a rotation to happen. Sorry about the misleading description of openshift/machine-config-operator#4669 - that was outdated. The jira comment is the most accurate depiction of what we've done.


For more information about the MCO certificates, see ../security_and_compliance/certificate-types-and-descriptions.adoc#cert-types-machine-config-operator-certificates

[id="ocp-release-notes-management-console_{context}"]
=== Management console

Expand Down