Bug 1328809

Summary: [Intservice_public_226] Preflight check failed when hostnames contain * in custom cert
Product: OpenShift Container Platform Reporter: Xia Zhao <xiazhao>
Component: HawkularAssignee: Matt Wringe <mwringe>
Status: CLOSED CURRENTRELEASE QA Contact: chunchen <chunchen>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-19 13:49:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
preflight_logs none

Description Xia Zhao 2016-04-20 10:32:13 UTC 
Problem description: 
Preflight check failed when hostnames contain * in custom cert

Version-Release number of selected component (if applicable):
Images built from upstream https://github.com/openshift/origin-metrics

How reproducible:
Always

Steps to Reproduce:
1. Login openshift master, create valid custom cert with * specified in hostnames
openshift admin ca create-server-cert --key=c.key --cert=c.crt --hostnames='*.router.default.svc.cluster.local,hawkular-metrics' --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt
cat c.crt c.key /etc/origin/master/ca.crt > hm_c.pem
cp /etc/origin/master/ca.crt hm-ca_c.cert
2. Create the new project and deploy metrics with MODE=preflight:
oc new-project metrics
oc secrets new metrics-deployer hawkular-metrics.pem=hm_c.pem hawkular-metrics-ca.cert=hm-ca_c.cert
oc create -f https://raw.githubusercontent.com/openshift/origin-metrics/master/metrics-deployer-setup.yaml
#run on master:
oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:metrics:heapster
oc policy add-role-to-user edit system:serviceaccount:metrics:metrics-deployer
oc process openshift//metrics-deployer-template -v HAWKULAR_METRICS_HOSTNAME=hawkular-metrics.router.default.svc.cluster.local,IMAGE_PREFIX=openshift/origin-,IMAGE_VERSION=latest,USE_PERSISTENT_STORAGE=false,MASTER_URL=https://{master-domain}:8443,CASSANDRA_PV_SIZE=5Gi,MODE=preflight |oc create -f -

Actual Result:
Preflight failed by the below error message:
PREFLIGHT CHECK FAILED
========================
validate_deployer_secret:
The supplied hawkular-metrics.pem certificate is required to contain the following name(s) in the Subject Alternative Name field:
hawkular-metrics.router.default.svc.cluster.local hawkular-metrics
Instead the certificate has:
            X509v3 Subject Alternative Name:
                DNS:*.router.default.svc.cluster.local
Please supply a correct certificate or omit it to allow the deployer to generate it.
PREFLIGHT CHECK FAILED

Expected Result:
Preflight should succeed since the custom cert is valid

Additional info:
Preflight check succeeded when --hostnames='hawkular-metrics.router.default.svc.cluster.local' in custom cert
Comment 1 Xia Zhao 2016-04-20 10:37:41 UTC 
To address more I tried with multiple DNS in cert: "--hostnames='*.router.default.svc.cluster.local,hawkular-metrics' ", and the preflight check failed again. Here is the output:  http://pastebin.test.redhat.com/367211.
Comment 2 Xia Zhao 2016-04-20 10:48:47 UTC 
Created attachment 1149035 [details]
preflight_logs
Comment 3 Matt Wringe 2016-04-20 13:09:42 UTC 
A work around for this is to specify that we want to skip the preflight checks, you can do this by setting the IGNORE_PREFLIGHT template parameter to false.

We will update our preflight checks to consider these situations.
Comment 4 Matt Wringe 2016-08-12 20:18:45 UTC 
Oops, this has been fixed for a while now. Setting this to ON_QA