Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-676

cluster-machine-approver doesn't ignore case for CSR hostnames

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Normal
    • None
    • 4.11, 4.10
    • Cloud Compute / Other Provider
    • None
    • CLOUD Sprint 224
    • 1
    • False
    • Hide

      None

      Show
      None

    Description

      the machine approver isn't recognizing hostnames that use capital letters as valid even though DNS is case-insensitive

      an example of this is in OHSS-14709:

      I0822 19:04:51.587266       1 controller.go:114] Reconciling CSR: csr-vdtpv
I0822 19:04:51.600941       1 csr_check.go:156] csr-vdtpv: CSR does not appear to be client csr
I0822 19:04:51.603648       1 csr_check.go:542] retrieving serving cert from ip-100-66-119-117.ec2.internal (100.66.119.117:10250)
I0822 19:04:51.604003       1 csr_check.go:181] Failed to retrieve current serving cert: dial tcp 100.66.119.117:10250: connect: connection refused
I0822 19:04:51.604017       1 csr_check.go:201] Falling back to machine-api authorization for ip-100-66-119-117.ec2.internal
E0822 19:04:51.604024       1 csr_check.go:392] csr-vdtpv: DNS name 'ip-100-66-119-117.tech-ace-maint-prd.aws.delta.com' not in machine names: ip-100-66-119-117.ec2.internal ip-100-66-119-117.ec2.internal ip-100-66-119-117.tech-ACE-maint-prd.aws.delta.com
I0822 19:04:51.604033       1 csr_check.go:204] Could not use Machine for serving cert authorization: DNS name 'ip-100-66-119-117.tech-ace-maint-prd.aws.delta.com' not in machine names: ip-100-66-119-117.ec2.internal ip-100-66-119-117.ec2.internal ip-100-66-119-117.tech-ACE-maint-prd.aws.delta.com
I0822 19:04:51.606777       1 controller.go:199] csr-vdtpv: CSR not authorized

      This can be worked around by manually approving the CSR

      The relevant line in the machine approver appears to be here: https://github.com/openshift/cluster-machine-approver/blob/master/pkg/controller/csr_check.go#L378

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10382 cluster-machine-approver doesn't ignore case for CSR hostnames

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10382 cluster-machine-approver doesn't ignore case for CSR hostnames

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Activity

            People

              ddonati@redhat.com Damiano Donati
              achvatal.openshift Alex Chvatal
              Huali Liu Huali Liu
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: