Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29613

Invalid CN name is not bubbled up in the CSR

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

         Invalid CN is not bubbled up in the CR 

      Version-Release number of selected component (if applicable):

          4.15.0-rc7

      How reproducible:

          always

      Steps to Reproduce:

      # generate a key with invalid CN
      openssl genrsa -out myuser4.key 2048
      openssl req -new -key myuser4.key -out myuser4.csr -subj "/CN=baduser/O=system:masters"
      # get cert in the CSR
      # apply the CSR
      # Status remains in Accepted, but it is not Issued
      % oc get csr | grep 29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr
      29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr   4m29s   hypershift.openshift.io/ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1.customer-break-glass   system:admin                                                                60m                 Approved
      # No status in the CSR status:
        conditions:
        - lastTransitionTime: "2024-02-16T14:06:41Z"
          lastUpdateTime: "2024-02-16T14:06:41Z"
          message: The requisite approval resource exists.
          reason: ApprovalPresent
          status: "True"
          type: Approved
      # pki controller shows the error
       oc logs control-plane-pki-operator-bf6d75d5f-h95rf -n ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1 | grep "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr"
      I0216 14:06:41.842414       1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestApproved' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" in is approved
      I0216 14:06:41.848623       1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestInvalid' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" is invalid: invalid certificate request: subject CommonName must begin with "system:customer-break-glass:"     

      Actual results:

          

      Expected results:

          status in the CR show failed and the error 

      Additional info:

          

            skuznets@redhat.com Steve Kuznetsov
            rh-ee-adecorte Andrea Decorte
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: