Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45943

Empty status.ServiceNetwork field causes x509: cannot validate certificate for xxx.xxx.xx.xx which doesn't contain any IP SANs

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.19.0
    • 4.19
    • kube-apiserver
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, when the temporary control plane was down, the `networkConfig.status.ServiceNetwork` was not populated, and when generated certificates did not have the Kubernetes service IP in the SANs, the clients would fail to connect to the kube-apiserver through the default kubernetes service. With this release, a guard has been added to skip certificated generation if `networkConfig.status.ServiceNetwork` is nil. Client connections will be stable and valid. (link:https://issues.redhat.com/browse/OCPBUGS-45943[OCPBUGS-45943])
      Show
      * Previously, when the temporary control plane was down, the `networkConfig.status.ServiceNetwork` was not populated, and when generated certificates did not have the Kubernetes service IP in the SANs, the clients would fail to connect to the kube-apiserver through the default kubernetes service. With this release, a guard has been added to skip certificated generation if `networkConfig.status.ServiceNetwork` is nil. Client connections will be stable and valid. (link: https://issues.redhat.com/browse/OCPBUGS-45943 [ OCPBUGS-45943 ])
    • None
    • None
    • None
    • None

      Description of problem:

          1 Client can not connect to the kube-apiserver via kubernetes svc, as the kubernetes svc is not in the cert SANs
    2 The kube-apiserver-operator generate apiserver certs, and insert the kubernetes svc ip from the network cr status.ServiceNetwork
    3 When the temporary control plane is down, and the network cr is not ready yet, Client will not connect to apiserver again

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

          1. I have just met this for very rare conditions, especially when the machine performance is poor     
    2.
    3.

      Actual results:

      Expected results:

      Additional info:

              vrutkovs@redhat.com Vadim Rutkovsky
              lan.tian 天 兰
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: