Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-47012

DataVolume from https with self signed certificate is not user friendly.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • CNV v4.18.1
    • CNV v4.16.1
    • Storage Platform
    • None
    • 0.42
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • ---
    • ---
    • Moderate
    • None

      Description of problem:

      The user wants to have an internal HTTPS server on his network, with a self signed certificate, holding the qcow2 images.

To create VMs, the DataVolumes will point to that URL.

But:
* Doing it through the console fails, because there is no way to set datavolume.spec.source.http.certConfigMap there.
* Doing through the CLI works, but one needs to set datavolume.spec.source.http.certConfigMap on *every single* DV created, its annoying and counter productive.

It does not load the CA from OCP if one configures a custom CA bundle, and there is no global setting in CDI to always apply some default spec.source.http.certConfigMap to every DV.

This makes it quite hard for the user to have a https server to hold images.

As a side Note, the InsecureTLS config option in CDI only apply to image pulls (DV from registry, not https), but one would like to have the certificate checked in most cases for security purposes.

      Version-Release number of selected component (if applicable):

      4.16.1

      How reproducible:

      Always

      Steps to Reproduce:

      $ oc get dv rhel8-red-marsupial-85 -o yaml
apiVersion: cdi.kubevirt.io/v1beta1
kind: DataVolume
metadata:
  annotations:
    cdi.kubevirt.io/allowClaimAdoption: "true"
    cdi.kubevirt.io/storage.usePopulator: "true"
  creationTimestamp: "2024-08-23T01:55:04Z"
  generation: 1
  labels:
    kubevirt.io/created-by: 4c76a93e-581b-4b63-8019-479caef5bd13
  name: rhel8-red-marsupial-85
  namespace: homelab
  ownerReferences:
  - apiVersion: kubevirt.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: VirtualMachine
    name: rhel8-red-marsupial-85
    uid: 4c76a93e-581b-4b63-8019-479caef5bd13
  resourceVersion: "36116626"
  uid: 026420a4-8fc0-4496-9bb2-f7a3ad6d8de6
spec:
  source:
    http:
      url: https://pi.shift.home.arpa/images/rhel-8.9.qcow2
  storage:
    resources:
      requests:
        storage: 30Gi
status:
  claimName: rhel8-red-marsupial-85
  conditions:
  - lastHeartbeatTime: "2024-08-23T01:55:04Z"
    lastTransitionTime: "2024-08-23T01:55:04Z"
    message: PVC rhel8-red-marsupial-85 Pending
    reason: Pending
    status: "False"
    type: Bound
  - lastHeartbeatTime: "2024-08-23T01:55:31Z"
    lastTransitionTime: "2024-08-23T01:55:04Z"
    status: "False"
    type: Ready
  - lastHeartbeatTime: "2024-08-23T01:55:31Z"
    lastTransitionTime: "2024-08-23T01:55:31Z"
    message: 'Unable to connect to http data source: HTTP request errored: Get "https://pi.shift.home.arpa/images/rhel-8.9.qcow2":
      tls: failed to verify certificate: x509: certificate signed by unknown authority'
    reason: Error
    status: "False"
    type: Running
  phase: ImportInProgress
  progress: N/A

      Actual results:

      Fails due to certificate check

      Expected results:

      A user friendly and usable way to make it trust the CA, that applies to all DVs (from Console or CLI), without having to add the CA bundle on each by hand.

       

              akalenyu Alex Kalenyuk
              rhn-support-gveitmic Germano Veit Michel
              Natalie Gavrielov Natalie Gavrielov
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: