After upgrading OpenShift from 4.9 to 4.10, the authentication operator does not clear the error message from the "Upgradeable" field regarding an invalid SAN certificate
Issue
-
After upgrading the cluster to
4.10.57, and after fixing the LDAP server certificate to include a Subject Alternative Name (SAN) section, we can still see the error in the operator status:$ oc get co authentication -o yaml ... status: conditions: - lastTransitionTime: "2023-05-22T15:42:37Z" message: 'InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}. These have to be replaced to include the respective hosts in their SAN extension and not rely on the Subject''s CN for the purpose of hostname verification.' reason: InvalidProviderInvalidCerts_InvalidCertsDetected status: "False" type: Upgradeable -
The upgrade was forced, ignoring the the following message:
Warning alert: This cluster should not be updated to 4.10. You can continue to update to patch releases in 4.9. Cluster operator authentication should not be upgraded between minor versions: InvalidProviderInvalidCertsUpgradeable: Server certificates without SAN detected: {provider="LDAP"}. These have to be replaced to include the respective hosts in their SAN extension and not rely on the Subject's CN for the purpose of hostname verification.
Environment
-
Red Hat OpenShift Container Platform (RHOCP)
- Upgrade from any 4.9 version to any 4.10 version (lower than 4.10.63).
- Users authenticate externally to an LDAP server that, prior to the upgrade, does not have a valid SAN certificate.
Check also solution Upgrade stuck in waiting exceeded 40 minutes for these operators: console for more scenarios affected by this issue.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
