Bug 2040345

Summary: oVirt CSI driver will fail to connect when legacy certificates are used
Product: OpenShift Container Platform Reporter: Janos Bonic <jpasztor>
Component: StorageAssignee: Janos Bonic <jpasztor>
Storage sub component: oVirt CSI Driver QA Contact: Michael Burman <mburman>
Status: CLOSED NOTABUG Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, ddacosta, emarcus, mburman
Version: 4.10   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Starting in OpenShift Container Platform 4.10 the OpenShift codebase is switching to Go 1.17. As a result, the Red Hat Virtualization (RHV) engine certificates issued manually and do not contain a Subject Alternative Name field might be rejected by the oVirt CSI driver, oVirt CSI driver operator, cluster API provider, and the OpenShift Installer. When upgrading OpenShift to 4.10, the operators related to RHV (oVirt) might be degraded due to this issue. To resolve this issue, create a new certificate for the RHV Manager with the correct subjectAltName field set to the host name of the engine and replace it using the procedure described here: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-31 11:34:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Janos Bonic 2022-01-13 14:07:22 UTC 
Description of problem: As indicated in BZ #2038166 for OpenStack, OCP 4.10 will move to Go 1.17. This will impact customers who have generated their own certificates for RHV and have not provided SAN fields.

Version-Release number of selected component (if applicable): 4.10

How reproducible: Always

Steps to Reproduce:
1. Create a custom certificate for RHV with only the CN field filled in, but not the SAN fields.
2. Configure OCP on RHV.

Actual results:

CSI driver will be degraded.

Expected results:

There should be a KCS explaining this behavior, including the specific error message the customer will get.
Comment 2 Janos Bonic 2022-03-31 11:34:31 UTC 
This is not a problem because RHV itself already won't work.