Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Fix Version/s: CNV v4.12.0
Affects Version/s: None
Component/s: CNV Install, Upgrade and Operators
Labels:
- cnv-4+
- cnvbugsm
- devel_ack+
- needinfo+
- pm_ack+
- qa_ack+

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
BZ Status:
CLOSED
BZ URL:
https://bugzilla.redhat.com/show_bug.cgi?id=2130588
Bugzilla Bug:
RHBZ: 2130588
[QE] How to address?:
---
[QE] Why QE missed?:
---

Sprint:
CNV I/U Operators Sprint 226, CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228

Regression:
None

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:

– patch apiserver with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]

$ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

{minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}

, type: "Custom"} }]'
The APIServer "cluster" is invalid:

spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string {"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}: no supported cipher suite found
* spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"}
: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)

– patch hco with ciphers ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]

$ oc patch hco -n openshift-cnv --type=json kubevirt-hyperconverged -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

{minTLSVersion: "VersionTLS12", ciphers: ["DHE-RSA-AES256-GCM-SHA384", "DHE-RSA-CHACHA20-POLY1305"]}

, type: "Custom"} }]'
hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched

cipher ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256 is mandatory for now for apiserver.

Version-Release number of selected component (if applicable):
4.12 with FIPS

How reproducible:
always

Steps to Reproduce:
1.try to patch apiserver and hco
2.
3.

Actual results:

supported ciphers should be in sync. Here we see some of the ciphers which are not accepted by apiserver while they are accepted by hco

Expected results:
common ciphers should be supported by all

Additional info:

$ oc patch apiserver --type=json cluster -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom:

{minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"]}

, type: "Custom"} }]'
The APIServer "cluster" is invalid:

spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string {"TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}
: no supported cipher suite found
spec.tlsSecurityProfile.custom.minTLSVersion: Unsupported value: "VersionTLS13": supported values: "VersionTLS10", "VersionTLS11", "VersionTLS12"

--> No support for TLS 1.3 at the moment

external trackers

Github kubevirt/hyperconverged-cluster-operator/pull/2108

Red Hat Errata Tool 95482

Red Hat Issue Tracker CNV-21547

Red Hat Product Errata RHSA-2023:0408

Assignee:: João Vilaça

Reporter:: Geetika Kapoor

QA Contact:: Geetika Kapoor

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/09/28 2:20 PM

Updated:: 2023/01/24 1:41 PM

Resolved:: 2023/01/24 1:41 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates