Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.18.0
Affects Version/s: 4.14.z, 4.15.z, 4.16.z
Component/s: HyperShift
Labels:

Work Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z
Target Version:

4.18.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
*Cause*: The SAN of the custom certificate added by the user to the field hc.spec.configuration.apiServer.servingCerts.namedCertificates, is conflicting with the hostname set in the hc.spec.services.servicePublishingStrategy for the KAS.
*Consequence*: The KAS certificate is not added to the set of certificates to generate a new payload, then the new nodes to join the HostedCluster will face an issue with the certificates validation.
*Fix*: Added a validation to fail earlier and warn the user about the issue
*Result*: Bug will not happen.

Show
*Cause*: The SAN of the custom certificate added by the user to the field hc.spec.configuration.apiServer.servingCerts.namedCertificates, is conflicting with the hostname set in the hc.spec.services.servicePublishingStrategy for the KAS. *Consequence*: The KAS certificate is not added to the set of certificates to generate a new payload, then the new nodes to join the HostedCluster will face an issue with the certificates validation. *Fix*: Added a validation to fail earlier and warn the user about the issue *Result*: Bug will not happen.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue ~~OCPBUGS-53261~~. The following is the description of the original issue:
—
As we discussed in both related issues, there are some situations that could make your HostedCluster configuration to not work properly. In this case is regarding the SAN recorded in the KAS NamedCertificates provided by the customer/user and the SAN recorded in both certificates to host the KAS (Internal and External) we create from our RootCA. The conflicting situation is:

You cannot have the NamedCertificates with a SAN recorded that conflicts with the internal API url
The servicePublishingStrategy.loadBalancer.hostname records the internal API url that will be set into the kubelets.

So the NamedCertificate should contain a SAN that points to a CNAME that your DNS will redirect to the hostname set into the servicePublishingStrategy.loadBalancer.hostname. This will make your configuration work properly.

blocks

OCPBUGS-55500 Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

Closed

clones

OCPBUGS-53261 Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

Closed

is blocked by

OCPBUGS-53261 Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

Closed

is cloned by

OCPBUGS-55500 Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

Closed

links to

openshift/hypershift#6091: OCPBUGS-54946, RHOCPPRIO-433: Add validation to avoid conflicts between KubeAPIServer and NamedCertificates SANs

RHBA-2025:4427 OpenShift Container Platform 4.18.z bug fix update

(1 links to)

Assignee:: Juan Manuel Parrilla Madrid

Reporter:: OpenShift Prow Bot

Need Info From:: None

Contributors:: None

QA Contact:: Wen Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2025/04/14 10:53 AM

Updated:: 2025/07/14 1:14 PM

Resolved:: 2025/05/09 4:31 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates