Description of problem:

In a ROSA (AWS) cluster, the nodes have a custom DNS name:

❯ k get no 
NAME                                   STATUS   ROLES                  AGE    VERSION
ip-10-83-112-113.${REDACTED}   Ready    control-plane,master   18h    v1.27.9+e36e183
...

due to the usage of a custom domain name in an AWS DHCP Options Set attached to the VPC. However, OVN and multus are creating CSRs with a node name as if the DHCP Options Set did not exist and thus always get denied:

csr-zzgr2   15m     kubernetes.io/kube-apiserver-client   system:multus:ip-10-83-112-99.us-east-2.compute.internal      24h                 Denied
csr-zzwh6   21m     kubernetes.io/kube-apiserver-client   system:ovn-node:ip-10-83-112-17.us-east-2.compute.internal    24h                 Denied 

Version-Release number of selected component (if applicable):

4.14.10

How reproducible:

Unknown

Steps to Reproduce:

In the case of this specific cluster:

1. Have a 4.13.30 cluster

2. Modify the cluster's VPC's DHCP Options set's domain name (via detaching and attaching a new one)

3. Attempt an upgrade to 4.14.10

Actual results:

ovnkube-node and multus are generating CSRs that do not match the node's name and get all CSRs denied.

csr-zzgr2   15m     kubernetes.io/kube-apiserver-client   system:multus:ip-10-83-112-99.us-east-2.compute.internal      24h                 Denied csr-zzwh6   21m     kubernetes.io/kube-apiserver-client   system:ovn-node:ip-10-83-112-17.us-east-2.compute.internal    24h                 Denied  

Expected results:

ovnkube-node and multus generate CSRs that match the underlying node's name

Additional info:

Please fill in the following template while reporting a bug and provide as much relevant information as possible. Doing so will give us the best chance to find a prompt resolution.

Affected Platforms:

• ROSA (SD), must-gather will be attached in the comments.