Bug 1798887
Summary: | [4.6] readinessEndpoint not using trustedCA for trust validation | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Chet Hosey <ChetRHosey> | |
Component: | Networking | Assignee: | Daneyon Hansen <dhansen> | |
Networking sub component: | openshift-sdn | QA Contact: | huirwang | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | low | |||
Priority: | unspecified | CC: | bbennett, dhansen, gparente, rbost | |
Version: | 4.2.z | |||
Target Milestone: | --- | |||
Target Release: | 4.6.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1821956 (view as bug list) | Environment: | ||
Last Closed: | 2020-10-27 15:55:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1849154, 1855356 |
Description
Chet Hosey
2020-02-06 08:52:21 UTC
I can confirm same issue in 4.2.26 The issue is here: https://github.com/openshift/cluster-network-operator/blob/d69bd9eff18d142e33bfd380273edf386c30f1e5/pkg/controller/proxyconfig/validation.go#L246-L252 I believe the `proxy.Scheme == schemeHTTPS` needs to be changed to `proxy.Scheme == schemeHTTPS || endpoint.Scheme == schemeHTTPS`. A MITM proxy will send back a certificate to the network operator performing a probe even if the proxy Scheme is HTTP. The presence of TLS is based on the endpoint Scheme. Ben or Daneyon, does this seem like the right fix? I pushed https://github.com/openshift/cluster-network-operator/pull/613 to fix the issue. Waiting for the associated PR to merge. This should be considered as a candidate for backport. *** Bug 1791948 has been marked as a duplicate of this bug. *** Retargeting to 4.6. The SDN team will handle the backport. Tagged UpcomingSprint as multiple CI jobs failed after the PR was tagged /lgtm. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |