Description of problem: KAS operator should be marked Upgradeable as False after adding customized NO_SAN certificate but KAS marked as Upgradeable as True, see bug 2037274 for background, and shows error with new certificate while logging "unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0" Version-Release number of selected component (if applicable): 4.9 How reproducible: Always Steps to Reproduce: 1. Make the RESOLVEABLE_CUSTOM_FQDN resolvable. a)Open https://console.aws.amazon.com/route53/home?region=us-east-2. b)In Hosted Zones, click on the item of CUSTOM_DOMAIN, it is already there created for team use. c)Click 'Create Record Set' - Name: your customized hostname, eg: {anyname}.CUSTOM_DOMAIN Type: A IPv4 Address Value: the IP address where our route can be resolved, you can get from `nslookup {from your cluster hostname}` For example: $ nslookup api.YOUR_ENV_SUFFIX ... Non-authoritative answer: Name: api.YOUR_ENV_SUFFIX Address: 18.189.... ... 2. Prepare cert without SAN: RESOLVEABLE_CUSTOM_FQDN={anyname}.CUSTOM_DOMAIN mkdir test_customized_kas_cert_no_san cd test_customized_kas_cert_no_san openssl genrsa -out caKey.pem 2048 openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=$RESOLVEABLE_CUSTOM_FQDN" openssl genrsa -out serverKey.pem 2048 cat > server_no_san.conf << EOF [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth EOF openssl req -new -key serverKey.pem -out server.csr -subj "/CN=$RESOLVEABLE_CUSTOM_FQDN" -config server_no_san.conf openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server_no_san.conf 3.Create a secret for KAS. oc create secret tls custom-api-cert --cert=serverCert.pem --key=serverKey.pem -n openshift-config oc patch --type=merge apiserver/cluster -p " spec: servingCerts: namedCertificates: - names: - $RESOLVEABLE_CUSTOM_FQDN servingCertificate: name: custom-api-cert " rm -f new.kubeconfig; touch new.kubeconfig; oc --insecure-skip-tls-verify login -u kubeadmin -p KUBEADMIN_TOKEN=$(oc --insecure-skip-tls-verify whoami -t) oc get no --server https://$RESOLVEABLE_CUSTOM_FQDN:6443 --certificate-authority caCert.pem --kubeconfig new.kubeconfig --token $KUBEADMIN_TOKEN shows below error Unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 Check KAS operator should be Upgradeable as False. oc get co kube-apiserver -o yaml - lastTransitionTime: "2022-02-10T04:43:32Z" message: 'KubeletMinorVersionUpgradeable: Kubelet and API server minor versions are synced.' reason: AsExpected status: "True" type: Upgradeable Actual results: KAS operator marked as Upgradeable as True. Expected results: KAS operator should be marked Upgradeable as False. Additional info:
Assigned to @surbania
*** This bug has been marked as a duplicate of bug 2037274 ***