Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-4532

CSR are generated with incorrect Subject Alternate Names

XMLWordPrintable

    • CLOUD Sprint 228
    • 1
    • False
    • Hide

      None

      Show
      None
    • Hide
      The GCP Machine controller would by default, reconcile the stat of Machines every 10 hours. Other providers set this value to 10 minutes so that changes that happen outside of the Machine API system, are detected within a short period.

      In this case, the external IP address being added was not detected for an extended period, and therefore CSRs requesting a SAN containing the external IP were not approved by the CSR approver.

      By reconciling more frequently, external changes are picked up sooner and CSRs are now approved within a timely manner in this case.
      Show
      The GCP Machine controller would by default, reconcile the stat of Machines every 10 hours. Other providers set this value to 10 minutes so that changes that happen outside of the Machine API system, are detected within a short period. In this case, the external IP address being added was not detected for an extended period, and therefore CSRs requesting a SAN containing the external IP were not approved by the CSR approver. By reconciling more frequently, external changes are picked up sooner and CSRs are now approved within a timely manner in this case.
    • Bug Fix

      This is a clone of issue OCPBUGS-4499. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-860. The following is the description of the original issue:

      Description of problem:

      In GCP, once an external IP address is assigned to master/infra node through GCP console, numbers of pending CSR from kubernetes.io/kubelet-serving is increasing, and the following error are reported:
      
      I0902 10:48:29.254427       1 controller.go:121] Reconciling CSR: csr-q7bwd
      I0902 10:48:29.365774       1 csr_check.go:157] csr-q7bwd: CSR does not appear to be client csr
      I0902 10:48:29.371827       1 csr_check.go:545] retrieving serving cert from build04-c92hb-master-1.c.openshift-ci-build-farm.internal (10.0.0.5:10250)
      I0902 10:48:29.375052       1 csr_check.go:188] Found existing serving cert for build04-c92hb-master-1.c.openshift-ci-build-farm.internal
      I0902 10:48:29.375152       1 csr_check.go:192] Could not use current serving cert for renewal: CSR Subject Alternate Name values do not match current certificate
      I0902 10:48:29.375166       1 csr_check.go:193] Current SAN Values: [build04-c92hb-master-1.c.openshift-ci-build-farm.internal 10.0.0.5], CSR SAN Values: [build04-c92hb-master-1.c.openshift-ci-build-farm.internal 10.0.0.5 35.211.234.95]
      I0902 10:48:29.375175       1 csr_check.go:202] Falling back to machine-api authorization for build04-c92hb-master-1.c.openshift-ci-build-farm.internal
      E0902 10:48:29.375184       1 csr_check.go:420] csr-q7bwd: IP address '35.211.234.95' not in machine addresses: 10.0.0.5
      I0902 10:48:29.375193       1 csr_check.go:205] Could not use Machine for serving cert authorization: IP address '35.211.234.95' not in machine addresses: 10.0.0.5
      I0902 10:48:29.379457       1 csr_check.go:218] Falling back to serving cert renewal with Egress IP checks
      I0902 10:48:29.382668       1 csr_check.go:221] Could not use current serving cert and egress IPs for renewal: CSR Subject Alternate Names includes unknown IP addresses
      I0902 10:48:29.382702       1 controller.go:233] csr-q7bwd: CSR not authorized
      
      

      Version-Release number of selected component (if applicable):

      4.11.2
      

      Steps to Reproduce:

      1. Assign external IPs to master/infra node in GCP
      2. oc get csr | grep kubernetes.io/kubelet-serving
      

      Actual results:

      CSRs are not approved
      

      Expected results:

      CSRs are approved
      

      Additional info:

      This issue is only happen in GCP. Same OpenShift installations in AWS do not have this issue.
      
      It looks like the CSR are created using external IP addresses once assigned.
      
      Ref: https://coreos.slack.com/archives/C03KEQZC1L2/p1662122007083059
      

            joelspeed Joel Speed
            openshift-crt-jira-prow OpenShift Prow Bot
            Zhaohua Sun Zhaohua Sun
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: