Bug 2052467
Summary: | Customized component route with cert of no SAN does not mark Upgradeable as False to remind user before upgrade to 4.10 | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Xingxing Xia <xxia> |
Component: | apiserver-auth | Assignee: | Pierre Prinetti <pprinett> |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 4.9 | CC: | aos-bugs, hongli, mfojtik, mmasters, pprinett, surbania, wking |
Target Milestone: | --- | ||
Target Release: | 4.9.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-07-05 22:04:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2031839 | ||
Bug Blocks: |
Description
Xingxing Xia
2022-02-09 10:41:05 UTC
I'm setting blocker- as this issue doesn't need to block the next z-stream release, but we may need to fix it in some 4.9.z release before 4.10.0 GA. I don't understand why the SANless certificate works with OpenShift 4.9; neither cluster-authentication-operator nor oauth-server is setting the GODEBUG environment variable as far I can tell using git-grep or ripgrep on their respective source repositories. Can you confirm that the same certificate works with OpenShift 4.9 and fails with OpenShift 4.10? (In reply to Miciah Dashiel Butler Masters from comment #1) > but we may need to fix it in some 4.9.z release before 4.10.0 GA. Agree > Can you confirm that the same certificate works with OpenShift 4.9 and fails with OpenShift 4.10? Yesterday 4.9 test showed all COs are good. Today tested 4.10 with same steps, got bad COs: $ oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.10.0-0.nightly-2022-02-09-225148 False False True 10m OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://auth-openshift-custom.qe1.HIDDEN/healthz": x509: certificate relies on legacy Common Name field, use SANs instead ... console 4.10.0-0.nightly-2022-02-09-225148 True True False 36m SyncLoopRefreshProgressing: Working toward version 4.10.0-0.nightly-2022-02-09-225148, 1 replicas available ... $ oc get po -n openshift-console NAME READY STATUS RESTARTS AGE console-5886c6845d-xzbtp 1/1 Running 0 38m console-6fc6b8884f-k5hsp 0/1 Running 3 (59s ago) 11m console-6fc6b8884f-vvh4b 0/1 Running 3 (42s ago) 11m ... $ oc logs -n openshift-console console-6fc6b8884f-k5hsp ... repeated same log lines ... E0210 03:56:13.518829 1 auth.go:232] error contacting auth provider (retrying in 10s): request to OAuth issuer endpoint https://auth-openshift-custom.qe1.HIDDEN/oauth/token failed: Head "https://auth-openshift-custom.qe1.HIDDEN": x509: certificate relies on legacy Common Name field, use SANs instead So, it fails with 4.10 as expected, this further proves this 4.9 bug needs be fixed. One more thing, the tested 4.10 env shows below as well: $ oc get ingress.config cluster -o yaml ... status: componentRoutes: - conditions: - lastTransitionTime: "2022-02-10T03:44:57Z" message: 'unexpected error at auth-openshift-custom.HIDDEN: Get "https://auth-openshift-custom.qe1.HIDDEN/healthz": x509: certificate relies on legacy Common Name field, use SANs instead' reason: ErrorReachingOutToService status: "True" type: Progressing I'm working on verification. Verified in 4.9.0-0.nightly-2022-06-28-211928 with original steps: After applying non-SAN cert, user is reminded by: $ oc get co authentication NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.9.0-0.nightly-2022-06-28-211928 True False True 11h CustomRouteControllerDegraded: custom route configuration failed verification: [error validating secret openshift-config/custom-auth-component: [certificate relies on legacy Common Name field, use SANs instead:... $ oc describe co authentication ... Status: Conditions: Last Transition Time: 2022-06-29T13:53:19Z Message: CustomRouteControllerDegraded: custom route configuration failed verification: [error validating secret openshift-config/custom-auth-component: [certificate relies on legacy Common Name field, use SANs instead: CustomRouteControllerDegraded: sn=17889069629480321911; CustomRouteControllerDegraded: iss=CN=xxia_test_ca]] OAuthClientsControllerDegraded: no ingress for host auth-openshift-custom.qe1.SNIPPED.com in route oauth-openshift in namespace openshift-authentication Reason: CustomRouteController_SyncError::OAuthClientsController_SyncError Status: True Type: Degraded ... Last Transition Time: 2022-06-29T02:36:34Z Message: All is well Reason: AsExpected Status: True Type: Upgradeable ... From the message above, moving to VERIFIED. Revert oc edit ingress.config cluster setting, oc get co authentication is back to normal. But from PR comment "prevent the upgrade", "Upgradeable" condition isn't "False", is this expected, Pierre? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.9.41 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5434 > But from PR comment "prevent the upgrade", "Upgradeable" condition isn't "False", is this expected, Pierre?
Newly added certificates are validated by the respective operators and are outside the scope of this change IIUC. This very change should only catch already added certificates (that were added in a previous OCP version, where they were validated OK) that are detected as invalid upon upgrade, and set "NoUpgrade" in that case.
|