2 files changed, 28 insertions, 4 deletions

diff --git a/roles/lib_openshift/library/oc_adm_csr.py b/roles/lib_openshift/library/oc_adm_csr.py
index d1dc4caf8..324f52689 100644
--- a/roles/lib_openshift/library/oc_adm_csr.py
+++ b/roles/lib_openshift/library/oc_adm_csr.py
@@ -1478,11 +1478,23 @@ class OCcsr(OpenShiftCLI):
 
         return False
 
+    def get_csr_request(self, request):
+        '''base64 decode the request object and call openssl to determine the
+           subject and specifically the CN: from the request
+
+           Output:
+           (0, '...
+                Subject: O=system:nodes, CN=system:node:ip-172-31-54-54.ec2.internal
+                ...')
+        '''
+        import base64
+        return self._run(['openssl', 'req', '-noout', '-text'], base64.b64decode(request))[1]
+
     def match_node(self, csr):
         '''match an inc csr to a node in self.nodes'''
         for node in self.nodes:
-            # we have a match
-            if node['name'] in csr['metadata']['name']:
+            # we need to match based upon the csr's request certificate's CN
+            if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
                 # check that the username is the node and type is 'Approved'
diff --git a/roles/lib_openshift/src/class/oc_adm_csr.py b/roles/lib_openshift/src/class/oc_adm_csr.py
index ea11c6ca9..22b8f9165 100644
--- a/roles/lib_openshift/src/class/oc_adm_csr.py
+++ b/roles/lib_openshift/src/class/oc_adm_csr.py
@@ -66,11 +66,23 @@ class OCcsr(OpenShiftCLI):
 
         return False
 
+    def get_csr_request(self, request):
+        '''base64 decode the request object and call openssl to determine the
+           subject and specifically the CN: from the request
+
+           Output:
+           (0, '...
+                Subject: O=system:nodes, CN=system:node:ip-172-31-54-54.ec2.internal
+                ...')
+        '''
+        import base64
+        return self._run(['openssl', 'req', '-noout', '-text'], base64.b64decode(request))[1]
+
     def match_node(self, csr):
         '''match an inc csr to a node in self.nodes'''
         for node in self.nodes:
-            # we have a match
-            if node['name'] in csr['metadata']['name']:
+            # we need to match based upon the csr's request certificate's CN
+            if node['name'] in self.get_csr_request(csr['spec']['request']):
                 node['csrs'][csr['metadata']['name']] = csr
 
                 # check that the username is the node and type is 'Approved'