Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.16.0
Component/s: HyperShift
Labels:
- adobe
- hypershift-qe
- no--qe
- rosa-hcp
- triaged

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.16.0
Target Backport Versions:

4.15.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

   Invalid CN is not bubbled up in the CR

Version-Release number of selected component (if applicable):

    4.15.0-rc7

How reproducible:

    always

Steps to Reproduce:

# generate a key with invalid CN
openssl genrsa -out myuser4.key 2048
openssl req -new -key myuser4.key -out myuser4.csr -subj "/CN=baduser/O=system:masters"
# get cert in the CSR
# apply the CSR
# Status remains in Accepted, but it is not Issued
% oc get csr | grep 29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr
29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr   4m29s   hypershift.openshift.io/ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1.customer-break-glass   system:admin                                                                60m                 Approved
# No status in the CSR status:
  conditions:
  - lastTransitionTime: "2024-02-16T14:06:41Z"
    lastUpdateTime: "2024-02-16T14:06:41Z"
    message: The requisite approval resource exists.
    reason: ApprovalPresent
    status: "True"
    type: Approved
# pki controller shows the error
 oc logs control-plane-pki-operator-bf6d75d5f-h95rf -n ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1 | grep "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr"
I0216 14:06:41.842414       1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestApproved' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" in is approved
I0216 14:06:41.848623       1 event.go:298] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"ocm-integration-29ecg6n5bkugrh6io4his24ser3bt16n-ad-int1", Name:"control-plane-pki-operator", UID:"b63dbaa9-18f7-4ee6-8473-8a38bdb6f2df", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'CertificateSigningRequestInvalid' "29ecg6n5bkugrh6io4his24ser3bt16n-5-customer-break-glass-csr" is invalid: invalid certificate request: subject CommonName must begin with "system:customer-break-glass:"

Actual results:

Expected results:

    status in the CR show failed and the error

Additional info:

clones

OCPBUGS-29613 Invalid CN name is not bubbled up in the CSR

Closed

is depended on by

OCPBUGS-29613 Invalid CN name is not bubbled up in the CSR

Closed

links to

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Assignee:: Steve Kuznetsov (Inactive)

Reporter:: Andrea Decorte

QA Contact:: Jie Zhao

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/02/21 1:24 PM

Updated:: 2024/06/27 11:38 AM

Resolved:: 2024/06/27 11:38 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates