Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-22383

[2141399] Unable to set TLS Security profile for CDI using HCO jsonpatch annotations

XMLWordPrintable

    • CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228, CNV I/U Operators Sprint 229, CNV I/U Operators Sprint 230
    • Medium

      Description of problem:
      ------------------------
      Attempt to set the TLS security profile for CDI fails

      Version-Release number of selected component (if applicable):
      -------------------------------------------------------------
      kubevirt-hyperconverged-operator.4.12.0-684

      How reproducible:
      -----------------
      Always

      Steps to Reproduce:
      -------------------
      1. Apply HCO jsonpatch annotation to update TLS security profile for CDI

      1. oc annotate --overwrite -n openshift-cnv hco kubevirt-hyperconverged containerizeddataimporter.kubevirt.io/jsonpatch='[{"op": "replace", "path": "/spec/config/tlsSecurityProfile", "value": {"old":{}, "type": "Old"}}]'

      2. Get the TLS security profile set on CDI

      1. oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath= {.spec.config.tlsSecurityProfile}

        Actual results:
        ---------------
        CDI has got incorrect definition for 'tlsSecurityProfile' as:
        [cnv-qe-jenkins@ ~]$ oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath={.spec.config.tlsSecurityProfile}

        {"intermediate":{},"old":{},"type":"Old"}[

      Expected results:
      -----------------
      CDI should contain the right definition ( not the mix of 2 TLS profiles ) for TLS security profile.
      {"old":{}, "type": "Old"}

      Additional info:
      ----------------
      By default TLS security profile enabled at CDI is 'intermediate', but if HCO jsonpatch annotation contains TLS security profile, then that should be reflected in CDI but not the mix of TLS security profiles.

      Even this issue is true with 'custom' TLS security profile too.

      [cnv-qe-jenkins@ ~]$ oc annotate --overwrite -n openshift-cnv hco kubevirt-hyperconverged containerizeddataimporter.kubevirt.io/jsonpatch='[{"op": "replace", "path": "/spec/config/tlsSecurityProfile", "value": {"custom":

      {"ciphers":["ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"], "minTLSVersion": "VersionTLS12"}

      ,"type": "Custom"}}]'
      hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged annotated

      [cnv-qe-jenkins@ ~]$ oc get cdi cdi-kubevirt-hyperconverged -n openshift-cnv -ojsonpath=

      {.spec.config.tlsSecurityProfile}

      {"custom":

      {"ciphers":["ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"}

      ,"intermediate":{},"type":"Custom"}

      Here the CDI is configured with the mix of 'custom' and 'intermediate' which is incorrect.

            stirabos Simone Tiraboschi
            sasundar@redhat.com Satheesaran Sundaramoorthi
            Satheesaran Sundaramoorthi Satheesaran Sundaramoorthi
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: