Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.15.z
Affects Version/s: 4.16
Component/s: Networking / router
Labels:
- ne-triaged

Severity:
Moderate
Regression:
No
Story Points:
8
Sprint:
Sprint 254, NE Sprint 255
sprint_count:
2
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* {product-title} {product-version} does not support SHA1 certificates on routes. Consequently, upgrades from 4.15 to {product-version} will cause routes with SHA1 certificates to be rejected.
+
This update introduces a new `UnservableInFutureVersions` status condition to routes that contain a SHA1 certificate. Additionally, it adds an `admin-gate` to block upgrades if this new status is present on any route. As a result, if cluster administrators have routes that use SHA1 certificates in {product-title} 4.15, they must either upgrade these certificates to a support algorithm or provide an `admin-ack` for the created `admin-gate`. This `admin-ack` allows administrators to proceed with the upgrade without resolving the SHA1 certificate issues, even though the routes will be rejected. (linkhttps://issues.redhat.com/browse/OCPBUGS-28928[*~~OCPBUGS-28928~~*])

Show
* {product-title} {product-version} does not support SHA1 certificates on routes. Consequently, upgrades from 4.15 to {product-version} will cause routes with SHA1 certificates to be rejected. + This update introduces a new `UnservableInFutureVersions` status condition to routes that contain a SHA1 certificate. Additionally, it adds an `admin-gate` to block upgrades if this new status is present on any route. As a result, if cluster administrators have routes that use SHA1 certificates in {product-title} 4.15, they must either upgrade these certificates to a support algorithm or provide an `admin-ack` for the created `admin-gate`. This `admin-ack` allows administrators to proceed with the upgrade without resolving the SHA1 certificate issues, even though the routes will be rejected. ( linkhttps://issues.redhat.com/browse/OCPBUGS-28928 [* OCPBUGS-28928 *])
Release Note Type:
Enhancement
Release Note Status:
Done
Target Version:

4.15.z
Target Backport Versions:

4.15

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Backport for 4.15 - Manually Cloned from https://issues.redhat.com/browse/OCPBUGS-26498

Description of problem:

   Due to RHEL9 incorporating OpenSSL 3.0, HaProxy will refuse to start if provided with a cert using SHA1-based signature algorithm. RHEL9 is being introduced in 4.16. This means customers updating from 4.15 to 4.16 with a SHA1 cert will find their router in a failure state.


My Notes from experimenting with various ways of using a cert in ingress:
- Routes with SHA1 spec.tls.certificate WILL prevent HaProxy from reloading/starting
- It is NOT limited to FIPs, I broke a non-FIPs cluster with this
- Routes with SHA1 spec.tls.caCertificate will NOT prevent HaProxy starting, but route is rejected, due to extended route validation failure:
    - lastTransitionTime: "2024-01-04T20:18:01Z"
      message: 'spec.tls.certificate: Invalid value: "redacted certificate data":
        error verifying certificate: x509: certificate signed by unknown authority
        (possibly because of "x509: cannot verify signature: insecure algorithm SHA1-RSA
        (temporarily override with GODEBUG=x509sha1=1)" while trying to verify candidate
        authority certificate "www.exampleca.com")'

- Routes with SHA1 spec.tls.destinationCACertificate will NOT prevent HaProxy from starting. It actually seems to work as expected
- IngressController with SHA1 spec.defaultCertificate WILL prevent HaProxy from starting.
- IngressController with SHA1 spec.clientTLS.clientCA will NOT prevent HaProxy from starting.

Version-Release number of selected component (if applicable):

4.16

How reproducible:

100%

Steps to Reproduce:

    1. Create a Ingress Controller with spec.defaultCertificate or a Route with spec.tls.certificate as a SHA1 cert
    2. Roll out the router

Actual results:

    Router fails to start

Expected results:

    Router should start

Additional info:

    We've previously documented via story in RHEL9 epic: https://issues.redhat.com/browse/NE-1449

blocks

NE-1441 Bump openshift-router image to RHEL9

Closed

clones

OCPBUGS-26498 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

Closed

is blocked by

OCPBUGS-26498 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

Closed

is related to

OCPBUGS-42480 Upgrade to 4.16 is blocked because root certificate has weak SHA1 signature algorithm

Closed

links to

openshift/api#1751: [release-4.15] OCPBUGS-28928: Add UnservableInFutureVersions route status condition type

openshift/cluster-ingress-operator#1014: [release-4.15] OCPBUGS-28928: Prevent upgrades for SHA1 default cert and SHA1 route certs

openshift/openshift-apiserver#436: OCPBUGS-28928: Bump openshift/api to get updated docs for UnservableInFutureVersions

openshift/origin#28820: OCPBUGS-28928: Add test for UpgradeValidation contention

openshift/router#585: [release-4.15] OCPBUGS-28928: Upgrade Validation plugin for SHA1 certs

RHBA-2024:3889 OpenShift Container Platform 4.15.z bug fix update

(5 links to)

Assignee:: Grant Spence

Reporter:: Grant Spence

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/02/02 9:08 PM

Updated:: 2024/10/08 12:31 PM

Resolved:: 2024/06/18 11:31 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates