Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4532

CSR are generated with incorrect Subject Alternate Names

    XMLWordPrintable

Details

    • CLOUD Sprint 228
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      The GCP Machine controller would by default, reconcile the stat of Machines every 10 hours. Other providers set this value to 10 minutes so that changes that happen outside of the Machine API system, are detected within a short period.

      In this case, the external IP address being added was not detected for an extended period, and therefore CSRs requesting a SAN containing the external IP were not approved by the CSR approver.

      By reconciling more frequently, external changes are picked up sooner and CSRs are now approved within a timely manner in this case.
      Show
      The GCP Machine controller would by default, reconcile the stat of Machines every 10 hours. Other providers set this value to 10 minutes so that changes that happen outside of the Machine API system, are detected within a short period. In this case, the external IP address being added was not detected for an extended period, and therefore CSRs requesting a SAN containing the external IP were not approved by the CSR approver. By reconciling more frequently, external changes are picked up sooner and CSRs are now approved within a timely manner in this case.
    • Bug Fix

    Description

      This is a clone of issue OCPBUGS-4499. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-860. The following is the description of the original issue:

      Description of problem:

      In GCP, once an external IP address is assigned to master/infra node through GCP console, numbers of pending CSR from kubernetes.io/kubelet-serving is increasing, and the following error are reported:

I0902 10:48:29.254427       1 controller.go:121] Reconciling CSR: csr-q7bwd
I0902 10:48:29.365774       1 csr_check.go:157] csr-q7bwd: CSR does not appear to be client csr
I0902 10:48:29.371827       1 csr_check.go:545] retrieving serving cert from build04-c92hb-master-1.c.openshift-ci-build-farm.internal (10.0.0.5:10250)
I0902 10:48:29.375052       1 csr_check.go:188] Found existing serving cert for build04-c92hb-master-1.c.openshift-ci-build-farm.internal
I0902 10:48:29.375152       1 csr_check.go:192] Could not use current serving cert for renewal: CSR Subject Alternate Name values do not match current certificate
I0902 10:48:29.375166       1 csr_check.go:193] Current SAN Values: [build04-c92hb-master-1.c.openshift-ci-build-farm.internal 10.0.0.5], CSR SAN Values: [build04-c92hb-master-1.c.openshift-ci-build-farm.internal 10.0.0.5 35.211.234.95]
I0902 10:48:29.375175       1 csr_check.go:202] Falling back to machine-api authorization for build04-c92hb-master-1.c.openshift-ci-build-farm.internal
E0902 10:48:29.375184       1 csr_check.go:420] csr-q7bwd: IP address '35.211.234.95' not in machine addresses: 10.0.0.5
I0902 10:48:29.375193       1 csr_check.go:205] Could not use Machine for serving cert authorization: IP address '35.211.234.95' not in machine addresses: 10.0.0.5
I0902 10:48:29.379457       1 csr_check.go:218] Falling back to serving cert renewal with Egress IP checks
I0902 10:48:29.382668       1 csr_check.go:221] Could not use current serving cert and egress IPs for renewal: CSR Subject Alternate Names includes unknown IP addresses
I0902 10:48:29.382702       1 controller.go:233] csr-q7bwd: CSR not authorized

      Version-Release number of selected component (if applicable):

      4.11.2

      Steps to Reproduce:

      1. Assign external IPs to master/infra node in GCP
2. oc get csr | grep kubernetes.io/kubelet-serving

      Actual results:

      CSRs are not approved

      Expected results:

      CSRs are approved

      Additional info:

      This issue is only happen in GCP. Same OpenShift installations in AWS do not have this issue.

It looks like the CSR are created using external IP addresses once assigned.

Ref: https://coreos.slack.com/archives/C03KEQZC1L2/p1662122007083059

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-4499 CSR are generated with incorrect Subject Alternate Names

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-4499 CSR are generated with incorrect Subject Alternate Names

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/machine-api-provider-gcp#27: [release-4.11] OCPBUGS-4532: Set sync period for Machine controller

          Activity

            People

              joelspeed Joel Speed
              openshift-crt-jira-prow OpenShift Prow Bot
              Zhaohua Sun Zhaohua Sun
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: