-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.15.z
-
No
-
False
-
Description of problem:
Unsetting the `minTLSVersion` in `apiserver.spec.tlsSecurityProfile` with a custom type leads to authentication CO unavailability and pods entering a CrashLoopBackOff state. There's a concern that setting the wrong version could cause similar issues. Implementing an API hook could help avoid such problems by enforcing correct configuration.
Version-Release number of selected component (if applicable):
4.15.0-0.nightly-2023-12-14-115151
How reproducible:
Always
Steps to Reproduce:
1. Unset `minTLSVersion` in `apiserver.spec.tlsSecurityProfile` when the type is set to Custom. $ oc get apiserver cluster -o yaml apiVersion: config.openshift.io/v1 kind: APIServer ... tlsSecurityProfile: custom: ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-GCM-SHA256 type: Custom 2. Observe the status of the authentication CO and pods in `openshift-oauth-apiserver`. # oc get co --no-headers | grep -v '.True.*False.*False' authentication 4.15.0-0.nightly-2023-12-14-115151 False False True 40m APIServerDeploymentAvailable: no apiserver.openshift-oauth-apiserver pods available on any node.... console 4.15.0-0.nightly-2023-12-14-115151 True False True 74m OAuthClientSyncDegraded: the server is currently unable to handle the request (get oauthclients.oauth.openshift.io console)... storage 4.15.0-0.nightly-2023-12-14-115151 True True False 92m AWSEBSCSIDriverOperatorCRProgressing: AWSEBSDriverControllerServiceControllerProgressing: Waiting for Deployment to deploy pods# oc get co authentication NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.15.0-0.nightly-2023-12-14-115151 False False True 40m APIServerDeploymentAvailable: no apiserver.openshift-oauth-apiserver pods available on any node.... # oc -n openshift-oauth-apiserver get pod NAME READY STATUS RESTARTS AGE apiserver-868885f66f-6l2nf 0/1 CrashLoopBackOff 13 (3m17s ago) 45m apiserver-868885f66f-twsbp 0/1 CrashLoopBackOff 13 (3m48s ago) 43m apiserver-868885f66f-xftcg 0/1 CrashLoopBackOff 13 (3m26s ago) 44m 3. Check the logs for `--tls-min-version` argument and connection errors. # oc -n openshift-oauth-apiserver logs apiserver-868885f66f-6l2nf Defaulted container "oauth-apiserver" out of: oauth-apiserver, fix-audit-permissions (init)... I1215 11:25:28.102311 1 flags.go:64] FLAG: --tls-cipher-suites="[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]" I1215 11:25:28.102314 1 flags.go:64] FLAG: --tls-min-version="" ...... I1215 11:25:28.406657 1 apf_controller.go:846] Introducing queues for priority level "catch-all": config={"type":"Limited","limited":{"nominalConcurrencyShares":5,"limitResponse":{"type":"Reject"},"lendablePercent":0}}, nominalCL=600, lendableCL=0, borrowingCL=600, currentCL=600, quiescing=false (shares=5, shareSum=5) W1215 11:25:28.412109 1 logging.go:59] [core] [Channel #1 SubChannel #3] grpc: addrConn.createTransport failed to connect to { "Addr": "10.0.81.181:2379", "ServerName": "10.0.81.181", "Attributes": null, "BalancerAttributes": null, "Type": 0, "Metadata": null }. Err: connection error: desc = "transport: authentication handshake failed: remote error: tls: handshake failure"
Actual results:
- Authentication CO becomes unavailable. - Pods in `openshift-oauth-apiserver` exhibit CrashLoopBackOff or Error states. - Logs display `--tls-min-version=""` and connection errors due to TLS handshake failures.
Expected results:
- Authentication CO should remain available. - Pods should be stable, without CrashLoopBackOff or Error. - No connection errors related to TLS in logs.
Additional info:
- Suggestion to introduce an API hook to validate and reject configurations without `minTLSVersion`. - Aim to remind users to set the version correctly and avoid widespread component issues. - The issue has been tested and confirmed on multiple clusters, indicating a broader impact.