Details
-
Bug
-
Resolution: Done
-
Major
-
maistra-1.1.15
-
None
-
None
-
False
-
False
-
qa_ack
-
+
-
Undefined
-
Sprint 4
Description
1.1 SMCP Regression: HTTPS traffic fails when mtls is not enabled after ossm 2.0.5 CVE patch
Test script: https://github.com/maistra/maistra-test-tool/blob/maistra-1.1/tests/task_security_authentication_mtls_https_test.go
When we tested 2.0.5 operator 1.1.15 SMCP, an existing test case above failed.
Build info:
OCP 4.6 and 4.7
Operator: istio-operator 2.0.5
SMCP 1.1.15
How to reproduce:
1. Deploy 1.1.15 SMCP on OCP 4.7
2. Add anyuid oc adm policy add-scc-to-user anyuid -z default -n bookinfo
3. Follow the istio doc steps , create nginxsecret and configmap,
Deploy nginx with sidecar in bookinfo ns
Deploy sleep with sidecar in bookinfo
4.
kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl https://my-nginx -k
kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://my-nginx -k
Results:
Getting error:
OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, err
after 2.0.5 CVE patch
Expected result:
curl should return <h1>Welcome to nginx!</h1>