Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Fix Version/s: CNV v4.12.0
Affects Version/s: None
Component/s: CNV Install, Upgrade and Operators
Labels:
- cnv-4+
- cnvbugsm
- devel_ack+
- pm_ack+
- qa_ack+
- qe_test_coverage-

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
BZ Status:
CLOSED
BZ URL:
https://bugzilla.redhat.com/show_bug.cgi?id=2141399
Bugzilla Bug:
RHBZ: 2141399
[QE] How to address?:
---
[QE] Why QE missed?:
---
Intelligence Requested:
Market:

Sprint:
CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228, CNV I/U Operators Sprint 229, CNV I/U Operators Sprint 230
Severity:
Medium

Regression:
None

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:
------------------------
Attempt to set the TLS security profile for CDI fails

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
kubevirt-hyperconverged-operator.4.12.0-684

How reproducible:
-----------------
Always

Steps to Reproduce:
-------------------
1. Apply HCO jsonpatch annotation to update TLS security profile for CDI

oc annotate --overwrite -n openshift-cnv hco kubevirt-hyperconverged containerizeddataimporter.kubevirt.io/jsonpatch='[{"op": "replace", "path": "/spec/config/tlsSecurityProfile", "value": {"old":{}, "type": "Old"}}]'

2. Get the TLS security profile set on CDI

oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath= {.spec.config.tlsSecurityProfile}

Actual results:
---------------
CDI has got incorrect definition for 'tlsSecurityProfile' as:
[cnv-qe-jenkins@ ~]$ oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath={.spec.config.tlsSecurityProfile}
{"intermediate":{},"old":{},"type":"Old"}[

Expected results:
-----------------
CDI should contain the right definition ( not the mix of 2 TLS profiles ) for TLS security profile.
{"old":{}, "type": "Old"}

Additional info:
----------------
By default TLS security profile enabled at CDI is 'intermediate', but if HCO jsonpatch annotation contains TLS security profile, then that should be reflected in CDI but not the mix of TLS security profiles.

Even this issue is true with 'custom' TLS security profile too.

[cnv-qe-jenkins@ ~]$ oc annotate --overwrite -n openshift-cnv hco kubevirt-hyperconverged containerizeddataimporter.kubevirt.io/jsonpatch='[{"op": "replace", "path": "/spec/config/tlsSecurityProfile", "value": {"custom":

{"ciphers":["ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"], "minTLSVersion": "VersionTLS12"}

,"type": "Custom"}}]'
hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged annotated

[cnv-qe-jenkins@ ~]$ oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath=

{.spec.config.tlsSecurityProfile}

{"custom":

{"ciphers":["ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"}

,"intermediate":{},"type":"Custom"}

Here the CDI is configured with the mix of 'custom' and 'intermediate' which is incorrect.

is duplicated by

CNV-22384 [2141419] Unable to set TLS Security profile for CNAO using HCO jsonpatch annotations

Closed

external trackers

CEE GitLab cpaas-midstream/openshift-virtualization/hyperconverged-cluster-operator/merge_requests/564

Github kubevirt/hyperconverged-cluster-operator/pull/2140

Red Hat Errata Tool 95482

Red Hat Issue Tracker CNV-22383

Red Hat Product Errata RHSA-2023:0408

(1 external trackers)

Assignee:: Simone Tiraboschi

Reporter:: Satheesaran Sundaramoorthi

QA Contact:: Satheesaran Sundaramoorthi

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022/11/09 5:47 PM

Updated:: 2023/01/24 1:42 PM

Resolved:: 2023/01/24 1:42 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates