-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
premerge, 4.15
-
Moderate
-
No
-
Hypershift Sprint 246, Hypershift Sprint 247, Hypershift Sprint 249, Hypershift Sprint 250, Hypershift Sprint 251, Hypershift Sprint 252, Hypershift Sprint 253, Hypershift Sprint 254, Hypershift Sprint 255, Hypershift Sprint 256, Hypershift Sprint 257, Hypershift Sprint 258
-
12
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
In https://issues.redhat.com//browse/STOR-1453: TLSSecurityProfile feature, storage clustercsidriver.spec.observedConfig will get the value from APIServer.spec.tlsSecurityProfile to set cipherSuites and minTLSVersion in all corresponding csi driver, but it doesn't work well in hypershift cluster when only setting different value in the hostedclusters.spec.configuration.apiServer.tlsSecurityProfile in management cluster, the APIServer.spec in hosted cluster is not synced and CSI driver doesn't get the updated value as well.
Version-Release number of selected component (if applicable):
Pre-merge test with openshift/csi-operator#69,openshift/csi-operator#71
How reproducible:
Always
Steps to Reproduce:
1. Have a hypershift cluster, the clustercsidriver get the default value like "minTLSVersion": "VersionTLS12" $ oc get clustercsidriver ebs.csi.aws.com -ojson | jq .spec.observedConfig.targetcsiconfig.servingInfo { "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], "minTLSVersion": "VersionTLS12" } 2. set the tlsSecurityProfile in hostedclusters.spec.configuration.apiServer in mgmtcluster, like the "minTLSVersion": "VersionTLS11": $ oc -n clusters get hostedclusters hypershift-ci-14206 -o json | jq .spec.configuration { "apiServer": { "audit": { "profile": "Default" }, "tlsSecurityProfile": { "custom": { "ciphers": [ "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256" ], "minTLSVersion": "VersionTLS11" }, "type": "Custom" } } } 3. This doesn't pass to apiserver in hosted cluster oc get apiserver cluster -ojson | jq .spec { "audit": { "profile": "Default" } } 4. CSI Driver still use the default value which is different from mgmtcluster.hostedclusters.spec.configuration.apiServer $ oc get clustercsidriver ebs.csi.aws.com -ojson | jq .spec.observedConfig.targetcsiconfig.servingInfo { "cipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], "minTLSVersion": "VersionTLS12" }
Actual results:
The tlsSecurityProfile doesn't get synced
Expected results:
The tlsSecurityProfile should get synced
Additional info:
- blocks
-
OCPBUGS-38486 [HCP] APIServer CR is not synced to the hosted cluster
- Closed
- is cloned by
-
OCPBUGS-38486 [HCP] APIServer CR is not synced to the hosted cluster
- Closed
- links to
-
RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update