Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.18.0
Affects Version/s: 4.16, 4.17
Component/s: Networking / router
Labels:
- cfe
- cfeplan
- ne-triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
No

Target Backport Versions:
None
Target Version:

4.18.0
Release Blocker:
Rejected
Sprint:
CFE Sprint 255, CFE Sprint 256, CFE Sprint 257, NE Sprint 258, CFE Sprint 258, NE Sprint 259, NE Sprint 260, NE Sprint 261, NE Sprint 262
sprint_count:
9

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, after a user created a route, the user needed both `create` and `update` permissions on the `routes/custom-host` sub-resource to edit the `.spec.tls.externalCertificate` field of a route. With this release, this permission requirement has been fixed, so that a user only needs the `create` permission to edit the `.spec.tls.externalCertificate` field of a route. The `update` permission is now marked as an optional permission. (link:https://issues.redhat.com/browse/OCPBUGS-34373[*~~OCPBUGS-34373~~*])

Show
* Previously, after a user created a route, the user needed both `create` and `update` permissions on the `routes/custom-host` sub-resource to edit the `.spec.tls.externalCertificate` field of a route. With this release, this permission requirement has been fixed, so that a user only needs the `create` permission to edit the `.spec.tls.externalCertificate` field of a route. The `update` permission is now marked as an optional permission. (link: https://issues.redhat.com/browse/OCPBUGS-34373 [* OCPBUGS-34373 *])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    regular user can update route spec.tls.certificate/key without extra permissions, but if the user try to edit/patch spec.tls.externalCertificate, it reports error:
spec.tls.externalCertificate: Forbidden: user does not have update permission on custom-host

Version-Release number of selected component (if applicable):

4.16.0-0.nightly-2024-05-21-221942

How reproducible:

    100%

Steps to Reproduce:

    1. login as regular use and create namespace, pod, svc and edge route
$ oc create route edge myedge --service service-unsecure --cert tls.crt --key tls.key
$ oc get route myedge -oyaml

    2. edit the route and remove one certificate from spec.tls.certificate 
$ oc edit route myedge
$ oc get route myedge

    3. edit the route and restore the original spec.tls.certificate

    4. edit the route with spec.tls.externalCertificate

Actual results:

    1. edge route is admitted and works well
$ oc get route myedge -oyaml
<......>
spec:
  host: myedge-test3.apps.hongli-techprev.qe.azure.devcluster.openshift.com
  port:
    targetPort: http
  tls:
    certificate: |
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXXXXXXX
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      XXXXXXXXXXXXXXXXXXXXXXXX 
      -----END CERTIFICATE-----

   key: |
      -----BEGIN RSA PRIVATE KEY-----
<......>

    2. route is failed validation since "private key does not match public key"
$ oc get route myedge
NAME     HOST/PORT                  PATH   SERVICES           PORT   TERMINATION   WILDCARD
myedge   ExtendedValidationFailed          service-unsecure   http   edge          None

    3. route is admitted again after the spec.tls.certificate is restored

    4. reports error when updating spec.tls.externalCertificate 
spec.tls.externalCertificate: Forbidden: user does not have update permission on custom-host

Expected results:

    user can has same permission to update both spec.tls.certificate and spec.tls.externalCertificate

Additional info:

blocks

OAPE-26 [GA] Support router to load secrets

Closed

is blocked by

API-1863 Bump openshift-apiserver to kube 1.31.x

Closed

API-1820 Bump openshift-apiserver to kube 1.30.x

Closed

NE-1791 Review of OCPBUGS-34373

Closed

links to

openshift/enhancements#1652: OCPBUGS-34373: routes/custom-host permission update for externalCertificate

openshift/kubernetes#2129: OCPBUGS-34373: Bump library-go to fix routes/custom-host permission for externalCertificate

openshift/library-go#1754: OCPBUGS-34373: routes/custom-host permission update for externalCertificate

openshift/openshift-apiserver#459: OCPBUGS-34373: Bump library-go to fix routes/custom-host permission for externalCertificate

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

(4 links to)

Assignee:: Chirag Kyal

Reporter:: Hongan Li

Need Info From:: None

Contributors:: None

QA Contact:: Hongan Li

Doc Contact:: Darragh Fitzmaurice

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2024/05/23 2:03 PM

Updated:: 2025/07/22 5:43 PM

Resolved:: 2025/02/25 4:49 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates