Changing OAM IP does not update apiserver SANs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Andy |
Bug Description
Brief Description
-----------------
When the bootstrap manifest is applied the system adds any OAM IP addresses to the apiserver's certificate SAN list. This is used for remote kubectl access. However when the OAM IP address is changed, these IP values are not updated. Without the correct values in apiserver cert remote access will fail.
Severity
--------
Major
Steps to Reproduce
------------------
Bring up a StarlingX system
Change the any of the OAM IP addresses
Expected Behavior
------------------
The new OAM IP address are present in the kubernetes API server certificate SAN list
eg:
openssl x509 -in /etc/kubernetes
Certificate:
...
X509v3 Subject Alternative Name:
Actual Behavior
----------------
The certificate is unchanged. The old values persist in the certificate SAN list.
Reproducibility
---------------
Reproducible
System Configuration
-------
All configurations
Branch/Pull Time/Commit
-------
Any build that includes this commit: https:/
Last Pass
---------
NA
Timestamp/Logs
--------------
NA
Test Activity
-------------
Developer Testing
Workaround
----------
A work around may be possible by manually updating the kubeadm conf and regenerating the apiserver cert on all controllers.
tags: | added: stx.4.0 stx.config |
Changed in starlingx: | |
importance: | Undecided → Medium |
status: | New → Triaged |
assignee: | nobody → David Sullivan (dsullivanwr) |
tags: | added: stx.security |
Changed in starlingx: | |
assignee: | David Sullivan (dsullivanwr) → Andy (andy.wrs) |
Changed in starlingx: | |
status: | Triaged → In Progress |
Note this is behavior that was missed as part of this change/bug /bugs.launchpad .net/starlingx/ +bug/1863798
https:/