2040345 – oVirt CSI driver will fail to connect when legacy certificates are used

Bug 2040345 - oVirt CSI driver will fail to connect when legacy certificates are used

Summary: oVirt CSI driver will fail to connect when legacy certificates are used

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Storage
Sub Component:
Version:	4.10
Hardware:	All
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Janos Bonic
QA Contact:	Michael Burman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-13 14:07 UTC by Janos Bonic
Modified:	2022-03-31 11:34 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	Starting in OpenShift Container Platform 4.10 the OpenShift codebase is switching to Go 1.17. As a result, the Red Hat Virtualization (RHV) engine certificates issued manually and do not contain a Subject Alternative Name field might be rejected by the oVirt CSI driver, oVirt CSI driver operator, cluster API provider, and the OpenShift Installer. When upgrading OpenShift to 4.10, the operators related to RHV (oVirt) might be degraded due to this issue. To resolve this issue, create a new certificate for the RHV Manager with the correct subjectAltName field set to the host name of the engine and replace it using the procedure described here: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate
Clone Of:
Environment:
Last Closed:	2022-03-31 11:34:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2038166	1	urgent	CLOSED	Starting from Go 1.17 invalid certificates will render a cluster non-functional	2022-03-10 16:37:54 UTC

Description Janos Bonic 2022-01-13 14:07:22 UTC

Description of problem: As indicated in BZ #2038166 for OpenStack, OCP 4.10 will move to Go 1.17. This will impact customers who have generated their own certificates for RHV and have not provided SAN fields.

Version-Release number of selected component (if applicable): 4.10

How reproducible: Always

Steps to Reproduce:
1. Create a custom certificate for RHV with only the CN field filled in, but not the SAN fields.
2. Configure OCP on RHV.

Actual results:

CSI driver will be degraded.

Expected results:

There should be a KCS explaining this behavior, including the specific error message the customer will get.

Comment 2 Janos Bonic 2022-03-31 11:34:31 UTC

This is not a problem because RHV itself already won't work.

Note You need to log in before you can comment on or make changes to this bug.