-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15.z
-
No
-
False
-
Description of problem:
Invalid CN is not bubbled up in the CR
Version-Release number of selected component (if applicable):
4.15.0-rc7
How reproducible:
always
Steps to Reproduce:
# generate a key with invalid CN openssl genrsa -out myuser4.key 2048 openssl req -new -key myuser4.key -out myuser4.csr -subj "/CN=baduser/O=system:masters" # get cert in the CSR # apply the CSR # Status remains in Accepted, but it is not Issued % oc get csr | grep 29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr 29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr 4m29s hypershift.openshift.io/ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1.customer-break-glass system:admin 60m Approved # No status in the CSR status: conditions: - lastTransitionTime: "2024-02-16T14:06:41Z" lastUpdateTime: "2024-02-16T14:06:41Z" message: The requisite approval resource exists. reason: ApprovalPresent status: "True" type: Approved # pki controller shows the error oc logs control-plane-pki-operator-bf6d75d5f-h95rf -n ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1 | grep "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" I0216 14:06:41.842414 1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestApproved' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" in is approved I0216 14:06:41.848623 1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestInvalid' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" is invalid: invalid certificate request: subject CommonName must begin with "system:customer-break-glass:"
Actual results:
Expected results:
status in the CR show failed and the error
Additional info:
- depends on
-
OCPBUGS-29758 Invalid CN name is not bubbled up in the CSR
- Closed
- is cloned by
-
OCPBUGS-29758 Invalid CN name is not bubbled up in the CSR
- Closed
- links to
-
RHBA-2024:2865 OpenShift Container Platform 4.15.z bug fix update