Magnum

Common name in kubernetes certificates is invalid

Bug #1705694 reported by Spyros Trigazis on 2017-07-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	In Progress	Undecided	Spyros Trigazis

Bug Description

In kubernetes with atomic we have a set of certificates that we use in three places:
1. etcd
2. kubernetes apiserver
3. kubernetes service accounts

In order to make service accounts work we need to set the common name properly in the certificates.

example failure for a service running in a cluster which failed:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname kubernetes.default.svc not verified:
certificate: sha1/IP/mxPjCh0RqUExZYVfMhuHWmFU=
DN: CN=kubernetes.invalid

Reference cert configuration in CoreOS docs:
https://coreos.com/kubernetes/docs/latest/openssl.html

We need similar changes in CoreOS drivers and openSUSE.

http://git.openstack.org/cgit/openstack/magnum/tree/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml#n125
http://git.openstack.org/cgit/openstack/magnum/tree/contrib/drivers/k8s_opensuse_v1/templates/fragments/make-cert.sh#n102

Tags:

OpenStack Infra (hudson-openstack) on 2017-07-21

Changed in magnum:
assignee:	nobody → Mathieu Velten (matmaul)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2017-07-24

Changed in magnum:
assignee:	Mathieu Velten (matmaul) → Spyros Trigazis (strigazi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-25: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/484307
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=a7ab475cd0917ffdeb1dd5ffa5a8a9a38f907b78
Submitter: Jenkins
Branch: master

commit a7ab475cd0917ffdeb1dd5ffa5a8a9a38f907b78
Author: Mathieu Velten <email address hidden>
Date: Mon Jul 17 10:53:21 2017 +0200

Use kubernetes service name in cert request

    In kubernetes with atomic we have a set of certificates that we use in
    three places:
    1. etcd
    2. kubernetes apiserver
    3. kubernetes service accounts

In order to make service accounts work we need to set the common name
properly in the certificates.

Partial-Bug: #1705694

Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-25: Fix proposed to magnum (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/486949

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-25: Fix merged to magnum (stable/ocata)

Reviewed: https://review.openstack.org/486949
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=34f3011913a4480d935fa7d8755ef1947ad5010c
Submitter: Jenkins
Branch: stable/ocata

commit 34f3011913a4480d935fa7d8755ef1947ad5010c
Author: Mathieu Velten <email address hidden>
Date: Mon Jul 17 10:53:21 2017 +0200

Use kubernetes service name in cert request

    In kubernetes with atomic we have a set of certificates that we use in
    three places:
    1. etcd
    2. kubernetes apiserver
    3. kubernetes service accounts

In order to make service accounts work we need to set the common name
properly in the certificates.

Partial-Bug: #1705694

Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
(cherry picked from commit a7ab475cd0917ffdeb1dd5ffa5a8a9a38f907b78)

tags:

added: in-stable-ocata

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.