-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.10
-
None
Description of problem:
Initially OCP 4.9 cluster was configured with LDAP IDP. LDAP Server had a certificate without Subjectalternatename (SAN) which caused login issues after upgrading to Openshift 4.10. It was resolved by correcting the certificate at LDAP server side to have hostname as SAN as mentioned in kcs https://access.redhat.com/solutions/6786941. But still authentication CO status complains: "message: Cluster operator authentication should not be upgraded between minor versions: InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}. These have to be replaced to include the respective hosts in their SAN extension and not rely on the Subject's CN for the purpose of hostname verification". Login works correctly, but trigerring this false alert , should get removed from the spec.status field of the authentication CO.
Version-Release number of selected component (if applicable):
How reproducible:
Reproducible
Steps to Reproduce:
1. Configure LDAP(certificates without having SAN) as an IDP on a cluster of version 4.9 2. Upgrade the cluster to 4.10 and then correct the certificate at LDAP server side to have hostname as SAN. 3. Check the status of authentication CO. $ oc get co authentication -o json | jq '.status.conditions'
Actual results:
- lastTransitionTime: "2023-03-01T08:15:44Z" message: 'AuthenticatorCertKeyProgressing: All is well' reason: AsExpected status: "False" type: Progressing - lastTransitionTime: "2023-03-02T01:01:24Z" message: All is well reason: AsExpected status: "True" type: Available - lastTransitionTime: "2022-12-22T09:03:06Z" message: 'InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}. These have to be replaced to include the respective hosts in their SAN extension and not rely on the Subject''s CN for the purpose of hostname verification.' reason: InvalidProviderInvalidCerts_InvalidCertsDetected status: "False" type: Upgradeable extension: null
Expected results:
Should not contain this false message in spec.status field of authentication CO yaml as it is triggering false alerts.
Additional info:
The same issue was addressed in https://bugzilla.redhat.com/show_bug.cgi?id=2037274#c23 and it was fixed in OpenShift Container Platform 4.9.25
- depends on
-
OCPBUGS-13732 InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}.
- Closed