kubespray
kubespray copied to clipboard
Published
20 hours ago •
kubernetes-sigs
kubernetes-sigs
Fix openssl SAN check on newer versions of OpenSSL
What type of PR is this?
/kind bug
What this PR does / why we need it: Newer versions of OpenSSL appear to return an exit code of 1 if the checkhost doesn't match. Older versions of OpenSSL seem to return a 0 regardless of if it matched or not:
[root@lab-loadbalancer-01-lon1-uk ~]# openssl version
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)
[root@lab-loadbalancer-01-lon1-uk ~]# openssl x509 -noout -in apiserver.crt -checkhost lab-master-01-lon1-uk.cluster.local && echo "Matched" || echo "Did not match"
Hostname lab-master-01-lon1-uk.cluster.local does match certificate
Matched
[root@lab-loadbalancer-01-lon1-uk ~]# openssl x509 -noout -in apiserver.crt -checkhost i-should-not-match && echo "Matched" || echo "Did not match"
Hostname i-should-not-match does NOT match certificate
Matched
root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl x509 -noout -in apiserver.crt -checkhost lab-master-01-lon1-uk.cluster.local && echo "Matched" || echo "Did not match"
Hostname lab-master-01-lon1-uk.cluster.local does match certificate
Matched
root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl x509 -noout -in apiserver.crt -checkhost i-should-not-match && echo "Matched" || echo "Did not match"
Hostname i-should-not-match does NOT match certificate
Did not match
This causes ansible to exit on the SAN check:
TASK [kubernetes/control-plane : Kubeadm | Check apiserver.crt SAN hosts] ***************************************************
....
failed: [lab-master-01-lon1-uk.k8s.intahnet.co.uk] (item=lab-master-01-lon1-uk.cluster.local) => {"ansible_loop_var": "item", "changed": true, "cmd": ["openssl", "x509", "-noout", "-in", "/etc/kubernetes/ssl/apiserver.crt", "-checkhost", "lab-master-01-lon1-uk.cluster.local"], "delta": "0:00:00.022344", "end": "2024-06-07 06:19:02.072828", "item": "lab-master-01-lon1-uk.cluster.local", "msg": "non-zero return code", "rc": 1, "start": "2024-06-07 06:19:02.050484", "stderr": "", "stderr_lines": [], "stdout": "Hostname lab-master-01-lon1-uk.cluster.local does NOT match certificate", "stdout_lines": ["Hostname lab-master-01-lon1-uk.cluster.local does NOT match certificate"]}
....
NO MORE HOSTS LEFT **********************************************************************************************************
Adding ignore_errors: true should fix this
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NONE
