1. Proposed title of this feature request
—
Add GODEBUG to the WhitelistEnvVarNames in openshift/api/blob/master/build/v1/consts.go.

Allow customer adopts legacy certificates w/o subject alternative names, SAN after OCP4.6+

2. What is the nature and description of the request?
—
CU wants to pull images from the image registry on either OCP311 and OCP4.6. However, OCP4.6 related components adopt Golang 1.15+ and need a certificate with SAN field, whereas OCP3.11 doesn't need that feature. In order to pull images from the image registry in OCP4.6, CU needs to re-generate the certificate with the SAN field for the image registry, and put the certificate into trusted-ca-bundle in all nodes, and so does OCP3.11.

We require SAN in the certificate in OCP4.6 because of the movement to Golang1.15 and Go1.15 [1]. Therefore, the certificates for the local image registry need to have SANs

To avoid holistically change the legacy certificates, imposing the environment variables sounds like a good way.

GODEBUG=x509ignoreCN=0

However, our oc build doesn't support that env, even though our systems DefaultEnvironment has that GODEBUG env[3]

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1886134
[2] https://github.com/openshift/api/blob/master/build/v1/consts.go#L169
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1882191

3. Why does the customer need this? (List the business requirements here)
—
Most CUs have their legacy certificates, and it is not easy for them to change all certificates w/ SAN. Especially for the migration from OCP311 to OCP46

4. List any affected packages or components.
—
build api/pod.