Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25355

setting TLSSecurityProfile with no minTLSVersion crashes controller

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Critical
    • 4.15.0
    • 4.15.0, 4.16.0
    • Storage / Operators
    • None
    • Important
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • NA
    • Release Note Not Required
    • In Progress

    Description

      This is a clone of issue OCPBUGS-24226. The following is the description of the original issue:

      rh-ee-mpatlaso pointed this out in STOR-1453 but still somehow we missed it. I tested this on 4.15.0-0.ci-2023-11-29-021749.

      It is possible to set a custom TLSSecurityProfile without minTLSversion:

      $ oc edit apiserver cluster
      ...
      spec:
        tlsSecurityProfile:
          type: Custom
          custom:
            ciphers:
            - ECDHE-ECDSA-CHACHA20-POLY1305
            - ECDHE-ECDSA-AES128-GCM-SHA256

      This causes the controller to crash loop:

      $ oc get pods -n openshift-cluster-csi-drivers
      NAME                                             READY   STATUS             RESTARTS       AGE
      aws-ebs-csi-driver-controller-589c44468b-gjrs2   6/11    CrashLoopBackOff   10 (18s ago)   37s
      ...

      because the `${TLS_MIN_VERSION}` placeholder is never replaced:

              - --tls-min-version=${TLS_MIN_VERSION}
              - --tls-min-version=${TLS_MIN_VERSION}
              - --tls-min-version=${TLS_MIN_VERSION}
              - --tls-min-version=${TLS_MIN_VERSION}
              - --tls-min-version=${TLS_MIN_VERSION}

      The observed config in the ClusterCSIDriver shows an empty string:

      $ oc get clustercsidriver ebs.csi.aws.com -o json | jq .spec.observedConfig
      {
        "targetcsiconfig": {
          "servingInfo":

      {       "cipherSuites": [         "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",         "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"       ],       "minTLSVersion": ""     }

        }
      }

      which means minTLSVersion is empty when we get to this line, and the string replacement is not done:

      [https://github.com/openshift/library-go/blob/c7f15dcc10f5d0b89e8f4c5d50cd313ae158de20/pkg/operator/csi/csidrivercontrollerservicecontroller/helpers.go#L234]

      So it seems we have a couple of options:

      1) completely omit the --tls-min-version arg if minTLSVersion is empty, or
      2) set --tls-min-version to the same default value we would use if TLSSecurityProfile is not present in the apiserver object

      Attachments

        Issue Links

          Activity

            People

              jdobson@redhat.com Jonathan Dobson
              openshift-crt-jira-prow OpenShift Prow Bot
              Wei Duan Wei Duan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: