Description of problem: In upgrade logs I observed > 2020-05-01T18:36:37.0791842Z 2020-05-01 18:36:37.079092 E | rafthttp: failed to dial d8027fcd63ed8f3f on stream MsgApp v2 (x509: certificate is valid for localhost, mffaz1.qe.azure.devcluster.openshift.com, 10.0.0.6, not etcd-0.mffaz1.qe.azure.devcluster.openshift.com) This is a regression, in 4.3 peer and server certs both had wildcard. https://github.com/openshift/machine-config-operator/blob/a8b6ec1b0c6cb544e6160ef2f65a7c2b59e6d199/pkg/controller/template/render.go#L382 while in 4.4 we only include the domain without wildcard. X509v3 Subject Alternative Name: DNS:localhost, DNS:mffaz1.qe.azure.devcluster.openshift.com, DNS:10.0.0.4, IP Address:10.0.0.4 This regression could affect upgrades. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: peer certs are missing *.etcdDiscoveryDomain wildcard in SAN Expected results: etcd peers certs contain proper SAN Additional info:
reverting the change for 4.5 as it is not correct this change should only be needed in 4.4 to cover upgrades from 4.3 clusters.
lowering severity as this is being reverted
typo in comment6: Verified in ocp 4.5 with 4.5.0-0.nightly-2020-05-06-003431, and checked in 4.4(4.4.0-0.nightly-2020-05-08-033144)which fix have not be merged into
Back into POST so we can hang https://github.com/openshift/cluster-etcd-operator/pull/341 on this same bug. Moving VERIFIED -> POST is cheating a bit, and is not a good idea when we are actively releasing the target branch, but we aren't releasing 4.5 yet, so cheating here is ok.
Close it, pls contact with me if any issue, thanks
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409