Bug 2054256

Summary: KAS operator should be marked Upgradeable as False when kube-apiserver serving cert uses SAN-less certificate
Product: OpenShift Container Platform Reporter: Rahul Gangwar <rgangwar>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: high Docs Contact:
Priority: high    
Version: 4.9CC: aos-bugs, kostrows, mfojtik, surbania, wking
Target Milestone: ---   
Target Release: 4.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-30 10:51:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2031839    
Bug Blocks:    

Description Rahul Gangwar 2022-02-14 14:30:13 UTC 
Description of problem:
KAS operator should be marked Upgradeable as False after adding customized NO_SAN certificate but KAS marked as Upgradeable as True, see bug 2037274 for background, and shows error with new certificate while logging "unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"

Version-Release number of selected component (if applicable):
4.9

How reproducible:
Always

Steps to Reproduce:
1. Make the RESOLVEABLE_CUSTOM_FQDN resolvable.
a)Open https://console.aws.amazon.com/route53/home?region=us-east-2. 
b)In Hosted Zones, click on the item of CUSTOM_DOMAIN, it is already there created for team use.
c)Click 'Create Record Set'
- Name: your customized hostname, eg: {anyname}.CUSTOM_DOMAIN
  Type: A IPv4 Address
  Value: the IP address where our route can be resolved, you can get from `nslookup {from your cluster hostname}`
For example:
$ nslookup api.YOUR_ENV_SUFFIX
...
Non-authoritative answer:
Name:    api.YOUR_ENV_SUFFIX
Address: 18.189....
...

2. Prepare cert without SAN:
RESOLVEABLE_CUSTOM_FQDN={anyname}.CUSTOM_DOMAIN
mkdir test_customized_kas_cert_no_san
cd test_customized_kas_cert_no_san

openssl genrsa -out caKey.pem 2048

openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=$RESOLVEABLE_CUSTOM_FQDN"

openssl genrsa -out serverKey.pem 2048

cat > server_no_san.conf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOF

​​openssl req -new -key serverKey.pem -out server.csr -subj "/CN=$RESOLVEABLE_CUSTOM_FQDN" -config server_no_san.conf

openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server_no_san.conf

3.Create a secret for KAS.

oc create secret tls custom-api-cert --cert=serverCert.pem --key=serverKey.pem -n openshift-config

oc patch --type=merge apiserver/cluster -p "
spec:
  servingCerts:
    namedCertificates:
    - names:
      - $RESOLVEABLE_CUSTOM_FQDN
      servingCertificate:
        name: custom-api-cert
"

rm -f new.kubeconfig; touch new.kubeconfig; oc --insecure-skip-tls-verify login -u kubeadmin -p
 
KUBEADMIN_TOKEN=$(oc --insecure-skip-tls-verify whoami -t)

​​oc get no --server https://$RESOLVEABLE_CUSTOM_FQDN:6443 --certificate-authority caCert.pem --kubeconfig new.kubeconfig  --token $KUBEADMIN_TOKEN shows below error
Unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Check KAS operator should be Upgradeable as False.
oc get co kube-apiserver -o yaml

 - lastTransitionTime: "2022-02-10T04:43:32Z"
    message: 'KubeletMinorVersionUpgradeable: Kubelet and API server minor versions are synced.'
    reason: AsExpected
    status: "True"
    type: Upgradeable

Actual results:
KAS operator marked as Upgradeable as True.


Expected results:
KAS operator should be marked Upgradeable as False.

Additional info:
Comment 1 Krzysztof Ostrowski 2022-02-22 13:34:57 UTC 
Assigned to @surbania
Comment 2 Standa Laznicka 2022-06-30 10:51:42 UTC 

*** This bug has been marked as a duplicate of bug 2037274 ***