Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-53261

Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

XMLWordPrintable

    • Incidents & Support
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, the SAN of the custom certificate that the user added to the `hc.spec.configuration.apiServer.servingCerts.namedCertificates` field conflicted with the hostname that was set in the `hc.spec.services.servicePublishingStrategy` field for the Kubernetes agent server (KAS). As a consequence, the KAS certificate was not added to the set of certificates to generate a new payload, and any new nodes that attempted to join the `HostedCluster` resource had issues with certificate validation. This release adds a validation step to fail earlier and warn the user about the issue, so that the problem no longer occurs. (link:https://issues.redhat.com/browse/OCPBUGS-53261[OCPBUGS-53261])
      Show
      * Previously, the SAN of the custom certificate that the user added to the `hc.spec.configuration.apiServer.servingCerts.namedCertificates` field conflicted with the hostname that was set in the `hc.spec.services.servicePublishingStrategy` field for the Kubernetes agent server (KAS). As a consequence, the KAS certificate was not added to the set of certificates to generate a new payload, and any new nodes that attempted to join the `HostedCluster` resource had issues with certificate validation. This release adds a validation step to fail earlier and warn the user about the issue, so that the problem no longer occurs. (link: https://issues.redhat.com/browse/OCPBUGS-53261 [ OCPBUGS-53261 ])
    • None
    • None
    • None
    • None

      As we discussed in both related issues, there are some situations that could make your HostedCluster configuration to not work properly. In this case is regarding the SAN recorded in the KAS NamedCertificates provided by the customer/user and the SAN recorded in both certificates to host the KAS (Internal and External) we create from our RootCA. The conflicting situation is:

      • You cannot have the NamedCertificates with a SAN recorded that conflicts with the internal API url
      • The servicePublishingStrategy.loadBalancer.hostname records the internal API url that will be set into the kubelets.

      So the NamedCertificate should contain a SAN that points to a CNAME that your DNS will redirect to the hostname set into the servicePublishingStrategy.loadBalancer.hostname. This will make your configuration work properly.

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              jparrill@redhat.com Juan Manuel Parrilla Madrid
              None
              None
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: