Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 4.20.0
Affects Version/s: 4.17.z
Component/s: HyperShift
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None
Architecture:

All
Deployment Environment:
Production

Target Backport Versions:

4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z
Target Version:

4.20.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Proposed
Release Note Type:
Bug Fix
Release Note Text:

Hide
Before this update, the hosted cluster rejected certificates with multiple SAN entries due to conflicting DNS names. As a consequence, users experienced certificate deployment failure with conflicting DNS names in Kubernetes API server SANs. With this release, certificate validation has been updated to allow multiple SAN entries. As a result, the hosted cluster now accepts certificates with multiple SAN entries, improving deployment flexibility.

Show
Before this update, the hosted cluster rejected certificates with multiple SAN entries due to conflicting DNS names. As a consequence, users experienced certificate deployment failure with conflicting DNS names in Kubernetes API server SANs. With this release, certificate validation has been updated to allow multiple SAN entries. As a result, the hosted cluster now accepts certificates with multiple SAN entries, improving deployment flexibility.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    Hosted cluster has certificate deployed with two SAN entries

Version-Release number of selected component (if applicable):

    OCP-4.17.z | ACM 2.12 | MCE 2.7.5

How reproducible:

    Hosted cluster deployed with SAN certificate with two DNS hostnames.

Steps to Reproduce:

    1. Deploy hosted cluster, use same certificate for API and OAuth Endpoint
    2. Error custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid

    ValidConfiguration condition is false: custom serving cert: Invalid value: []string{"api.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com", "oauth.prod-scale-spoke1-aws-us-east-1.prod-scale-mgmthub1-aws-us-east-1.itup.redhat.com"}: conflicting DNS names found in KAS SANs. Configuration is invalid

Actual results:

Expected results:

    Hosted cluster should allow certificate with multiple entries

Additional info:

    Please see attached full hostedcluster manifest

blocks

OCPBUGS-60483 Hostedcluster error about two DNS name in SAN certificate

Closed

is cloned by

OCPBUGS-60483 Hostedcluster error about two DNS name in SAN certificate

Closed

links to

openshift/hypershift#6643: OCPBUGS-60381: feat(validations): add wildcard support to DNS SAN conflict detection

Assignee:: Juan Manuel Parrilla Madrid

Reporter:: Ujjwal Bhattarai

Need Info From:: None

Contributors:: None

QA Contact:: Wen Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2025/08/11 8:01 PM

Updated:: 2025/10/16 3:48 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide