The PowerFlex gateway SSL certificate expires every 90 days causing the CSI Driver to fail.

When the secret containing the certificate expires, it leads to deployment failures for the driver. The PowerFlex driver node pods and controller pods are in a "CrashLoopBackOff" state because they fail to verify the certificate. Users unable to do the provisioning.

all pods are displayed "CrashLoopBackOff".

In the logs, you will see "get \https://x.x.x.x/api/login\":tls:failed to verify certification signed by unknow authority

This command gets the PowerFlex gateway certificate. However the PowerFlex gateway certificate expires every 90 days.

openssl s_client -showcerts -connect <Gateway IP:Port> </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem

Workaround:
If users encounter issues accessing the driver due to an expired or revoked certificate, they can follow these steps to resolve the problem:
1. Update the certificate in secret using the following command:

kubectl create secret generic vxflexos-certs-0 -n vxflexos --from-file=cert-0=ca_cert_0.pem -o yaml --dry-run | kubectl replace -f -

2. Restart the driver to ensure that the latest updated secret is used to validate the SSL certificate returned by the server.
These steps help ensure that the driver can establish secure connections with the server using the updated certificate.

If the secret has a PowerFlex gateway SSL certificate and the user wants to replace it with Platform Root Certificate of Authority (CA):
1. Obtain the certificate (Platform Root CA) using this command:

kubectl get secret -n powerflex ca-key-secret -o json -o=jsonpath="{.data.tls\.crt}" | base64 -d > ./pfmp_platform_ca.crt

2. Replace the secret.
3. Then restart the driver by deleting the driver pods. All pods should be in running without any being in a "CrashLoopBackOff" state.

Resolution:
This issue is expected to be fixed in PowerFlex 4.6.x.