Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60381

Hostedcluster error about two DNS name in SAN certificate

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • All
    • Production
    • Done
    • Bug Fix
    • Hide
      Before this update, the SAN validation for custom certificates in `hc.spec.configuration.apiServer.servingCerts.namedCertificates` did not properly handle wildcard DNS patterns, such as `*.example.com`. As a consequence, the wildcard DNS patterns in custom certificates could conflict with internal Kubernetes API server certificate SANs without being detected, leading to certificate validation failures and potential deployment issues. This release provides enhanced DNS SAN conflict detection to include RFC-compliant wildcard support, implementing bidirectional conflict validation that properly handles wildcard patterns such as `*.example.com` matching `sub.example.com`. As a result, wildcard DNS patterns are now properly validated, preventing certificate conflicts and ensuring more reliable hosted cluster deployments with wildcard certificate support.
      Show
      Before this update, the SAN validation for custom certificates in `hc.spec.configuration.apiServer.servingCerts.namedCertificates` did not properly handle wildcard DNS patterns, such as `*.example.com`. As a consequence, the wildcard DNS patterns in custom certificates could conflict with internal Kubernetes API server certificate SANs without being detected, leading to certificate validation failures and potential deployment issues. This release provides enhanced DNS SAN conflict detection to include RFC-compliant wildcard support, implementing bidirectional conflict validation that properly handles wildcard patterns such as `*.example.com` matching `sub.example.com`. As a result, wildcard DNS patterns are now properly validated, preventing certificate conflicts and ensuring more reliable hosted cluster deployments with wildcard certificate support.
    • None
    • None
    • None
    • None

      Description of problem:

          Hosted cluster has certificate deployed with two SAN entries

      Version-Release number of selected component (if applicable):

          OCP-4.17.z | ACM 2.12 | MCE 2.7.5

      How reproducible:

          Hosted cluster deployed with SAN certificate with two DNS hostnames.

       

      Steps to Reproduce:

          1. Deploy hosted cluster, use same certificate for API and OAuth Endpoint
    2. Error custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid
          ValidConfiguration condition is false: custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid

      Actual results:

      Expected results:

          Hosted cluster should allow certificate with multiple entries

      Additional info:

          Please see attached full hostedcluster manifest

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              rhit_ubhattar Ujjwal Bhattarai
              None
              None
              Wen Wang Wen Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: