Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55500

Add validation to check that NamedCertificates and the Internal Certificate SAN does not have conflicting domains

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Previously, the Subject Alternative Name (SAN) of the custom certificate that the user added to the `hc.spec.configuration.apiServer.servingCerts.namedCertificates` field conflicted with the hostname set in the `hc.spec.services.servicePublishingStrategy` field for the Kubernetes agent server (KAS). As a result, the KAS certificate was not added to the set of certificates to generate a new payload, causing certificate validation issues for nodes that joined the hosted cluster. With this release, the validation fails earlier so that the user is warned about the issue with the conflicting SANs. (link:https://issues.redhat.com/browse/OCPBUGS-55500[OCPBUGS-55500]).
      Show
      * Previously, the Subject Alternative Name (SAN) of the custom certificate that the user added to the `hc.spec.configuration.apiServer.servingCerts.namedCertificates` field conflicted with the hostname set in the `hc.spec.services.servicePublishingStrategy` field for the Kubernetes agent server (KAS). As a result, the KAS certificate was not added to the set of certificates to generate a new payload, causing certificate validation issues for nodes that joined the hosted cluster. With this release, the validation fails earlier so that the user is warned about the issue with the conflicting SANs. (link: https://issues.redhat.com/browse/OCPBUGS-55500 [ OCPBUGS-55500 ]).
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-54946. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-53261. The following is the description of the original issue:

      As we discussed in both related issues, there are some situations that could make your HostedCluster configuration to not work properly. In this case is regarding the SAN recorded in the KAS NamedCertificates provided by the customer/user and the SAN recorded in both certificates to host the KAS (Internal and External) we create from our RootCA. The conflicting situation is:

      • You cannot have the NamedCertificates with a SAN recorded that conflicts with the internal API url
      • The servicePublishingStrategy.loadBalancer.hostname records the internal API url that will be set into the kubelets.

      So the NamedCertificate should contain a SAN that points to a CNAME that your DNS will redirect to the hostname set into the servicePublishingStrategy.loadBalancer.hostname. This will make your configuration work properly.

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: