-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.16, 4.17
-
Important
-
No
-
CFE Sprint 255, CFE Sprint 256, CFE Sprint 257, NE Sprint 258, CFE Sprint 258, NE Sprint 259
-
6
-
Rejected
-
False
-
Description of problem:
regular user can update route spec.tls.certificate/key without extra permissions, but if the user try to edit/patch spec.tls.externalCertificate, it reports error:
spec.tls.externalCertificate: Forbidden: user does not have update permission on custom-host
Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-05-21-221942
How reproducible:
100%
Steps to Reproduce:
1. login as regular use and create namespace, pod, svc and edge route
$ oc create route edge myedge --service service-unsecure --cert tls.crt --key tls.key
$ oc get route myedge -oyaml
2. edit the route and remove one certificate from spec.tls.certificate
$ oc edit route myedge
$ oc get route myedge
3. edit the route and restore the original spec.tls.certificate
4. edit the route with spec.tls.externalCertificate
Actual results:
1. edge route is admitted and works well
$ oc get route myedge -oyaml
<......>
spec:
host: myedge-test3.apps.hongli-techprev.qe.azure.devcluster.openshift.com
port:
targetPort: http
tls:
certificate: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
<......>
2. route is failed validation since "private key does not match public key"
$ oc get route myedge
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
myedge ExtendedValidationFailed service-unsecure http edge None
3. route is admitted again after the spec.tls.certificate is restored
4. reports error when updating spec.tls.externalCertificate
spec.tls.externalCertificate: Forbidden: user does not have update permission on custom-host
Expected results:
user can has same permission to update both spec.tls.certificate and spec.tls.externalCertificate
Additional info: