Details
-
Bug
-
Resolution: Done-Errata
-
Minor
-
None
-
False
-
-
False
-
CLOSED
-
---
-
---
-
CNV I/U Operators Sprint 228, CNV I/U Operators Sprint 229
Description
Description of problem:
HCO should pick TLSProfile from apiserver if not specified in HCO explicitly.
Version-Release number of selected component (if applicable):
4.12
How reproducible:
Always
Steps to Reproduce:
1.Set Old profile on cluster level (oc edit apiserver cluster)
2.check HCO - it does not have Old profile inside
3. check connection to HCO - it allows tls v1.2 and 1.3 only
4. check Kubevirt - it has tls configuration updated
5. check connection to Kubevirt - it allows all versions: 1.0, 1.1, 1.2, 1.3
Actual results:
HCO doesn't pick apiserver ciphers like kuebirt /SSP are picking up.
Expected results:
if you don't have any explicit value on HCO, all the components should comply with the cluster wide setting on apiserver
Additional info:
with custom profile
cnv-qe-jenkins@cnv-qe-infra-01:~$ oc get apiserver cluster -ojsonpath=
{.spec.tlsSecurityProfile}{"custom":{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12"},"type":"Custom"}
cnv-qcnv-qe-jenkins@cnv-qe-infra-01:~$ oc get ssp ssp-kubevirt-hyperconverged -ojsonpath={.spec.tlsSecurityProfile}
{"custom":
{"ciphers":["DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"minTLSVersion":"VersionTLS12"},"type":"Custom"}
cnv-qcnv-qe-jenkins@cnv-qe-infra-01:~$ oc get hco kubevirt-hyperconverged -ojsonpath=
{.spec.tlsSecurityProfile}Attachments
Issue Links
- external trackers