Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25594

tlsSecurityProfile definitions do not align with documentation

XMLWordPrintable

    • No
    • 2
    • Sprint 247, Sprint 248, Sprint 249, Sprint 250, Sprint 251, Sprint 252, Sprint 253, Sprint 254, NE Sprint 255
    • 9
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      tlsSecurityProfile definitions do not align with documentation.

When using `oc explain` the field descriptions note that certain values are unsupported, but the same values are supported in the OpenShift Documentation. 

This needs to be clarified and the spacing should be fixed in the descriptions as they are hard to understand.

      Version-Release number of selected component (if applicable):

          4.14.1

      How reproducible:

      โ‡’ oc explain ingresscontroller.spec.tlsSecurityProfile.modern 

      Steps to Reproduce:

          1. Check the `oc explain` output

      Actual results:

          โ‡’ oc explain ingresscontroller.spec.tlsSecurityProfile.modern KIND:     IngressController VERSION:  operator.openshift.io/v1DESCRIPTION:      modern is a TLS security profile based on:      https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility and      looks like this (yaml):      ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -      TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: TLSv1.3 NOTE: Currently      unsupported.  

      Expected results:

          An output that aligns with the documentation regarding support/unsupported TLS versions Additionally, fixing the output format would be useful as it is very hard to understand/read in it's current form.

Here in the 4.14 Documentation, it states:
```
The HAProxy Ingress Controller image supports TLS 1.3 and the Modern profile.
```

      Additional info:

      The `apiserver` CR should also be checked for the same thing.

            [OCPBUGS-25594] tlsSecurityProfile definitions do not align with documentation

            Hongan Li added a comment -

            moving to verified manually

            Hongan Li added a comment - moving to verified manually

            Shudi Li added a comment -

            verified it by the pre-merged test, please refer to the below link for more detail, thanks.

            https://github.com/openshift/api/pull/1730#issuecomment-1980011060

            Shudi Li added a comment - verified it by the pre-merged test, please refer to the below link for more detail, thanks. https://github.com/openshift/api/pull/1730#issuecomment-1980011060

            Miciah Masters added a comment -

            rhn-support-misalunk, by the way, please remember to fill out the release note text on this issue!

            Miciah Masters added a comment - rhn-support-misalunk , by the way, please remember to fill out the release note text on this issue!

            OpenShift Jira Bot added a comment -

            Hi rhn-support-misalunk,

            Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

            OpenShift Jira Bot added a comment - Hi rhn-support-misalunk , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

            Miciah Masters added a comment -

            rhn-support-misalunk, https://github.com/openshift/cluster-ingress-operator/commit/65dcb3f49c7c85f6ac98dd65e679beec2a3198e1 bumped the vendored openshift/api to a version that includes https://github.com/openshift/api/pull/1730/commits/29627755e664fe70ba9be7a7d78302b920560291, so I believe we can move this bug report to ON_QA now.

            Miciah Masters added a comment - rhn-support-misalunk , https://github.com/openshift/cluster-ingress-operator/commit/65dcb3f49c7c85f6ac98dd65e679beec2a3198e1 bumped the vendored openshift/api to a version that includes https://github.com/openshift/api/pull/1730/commits/29627755e664fe70ba9be7a7d78302b920560291 , so I believe we can move this bug report to ON_QA now.

            Miciah Masters added a comment -

            Automation moved the Jira ticket to "MODIFIED" status because https://github.com/openshift/api/pull/1730 merged, but we still need a PR for openshift/cluster-ingress-operator before this issue is ready for QE, so I am moving the ticket back to "ASSIGNED" status.

            Miciah Masters added a comment - Automation moved the Jira ticket to "MODIFIED" status because https://github.com/openshift/api/pull/1730 merged, but we still need a PR for openshift/cluster-ingress-operator before this issue is ready for QE, so I am moving the ticket back to "ASSIGNED" status.

            Sakshi sakshi added a comment -

            Hi rhn-support-misalunk Any timeline when this issue will be fixed? Thanks !

            Sakshi sakshi added a comment - Hi rhn-support-misalunk Any timeline when this issue will be fixed? Thanks !

            Miheer Salunke added a comment - - edited

            From the below I have removed the Note and fixed the indentation for the tls security profiles.

            misalunk@misalunk-mac certs % oc explain ingresscontroller.spec.tlsSecurityProfile.modern 
GROUP:      operator.openshift.io
KIND:       IngressController
VERSION:    v1


FIELD: modern <Object>


DESCRIPTION:
    modern is a TLS security profile based on: 
     https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 
     and looks like this (yaml): 
     ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
    TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: TLSv1.3 
     NOTE: Currently unsupported.
    


misalunk@misalunk-mac certs %

            I have sent a pull request to adjust indentation above for the ciphers and remove the note that it is unsupported.

            Miheer Salunke added a comment - - edited From the below I have removed the Note and fixed the indentation for the tls security profiles. misalunk@misalunk-mac certs % oc explain ingresscontroller.spec.tlsSecurityProfile.modern GROUP:      operator .openshift.io KIND:       IngressController VERSION:    v1 FIELD: modern < Object > DESCRIPTION:     modern is a TLS security profile based on:      https: //wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility      and looks like this (yaml):      ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -     TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: TLSv1.3      NOTE: Currently unsupported.      misalunk@misalunk-mac certs % I have sent a pull request to adjust indentation above for the ciphers and remove the note that it is unsupported.

            Miheer Salunke added a comment -

            Hi,

             

            I am checking on this as to what can be done.

            Miheer Salunke added a comment - Hi,   I am checking on this as to what can be done.

            Miciah Masters added a comment -

            I believe we should have updated the godoc in question as part of NE-472. We'll revisit this issue after the break.

            Miciah Masters added a comment - I believe we should have updated the godoc in question as part of NE-472. We'll revisit this issue after the break.

              rhn-support-misalunk Miheer Salunke
              rhn-support-mwasher Michael Washer (Inactive)
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: