Bug 1829501

Summary: Fix TLS parameter parsing in prometheus-operator
Product: OpenShift Container Platform Reporter: Paul Gier <pgier>
Component: MonitoringAssignee: Paul Gier <pgier>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: medium    
Version: 4.5CC: alegrand, anpicker, erooth, kakkoyun, lcosic, mloibl, pkrupa, surbania
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:32:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Paul Gier 2020-04-29 16:13:10 UTC
Description of problem:

Two of the new TLS flags (web.tls-min-version and web.tls-cipher-suites) were added as part of the default flagset instead of the locally defined flagset causing them to not be parsed correctly.  This fix should be backported from upstream (https://github.com/coreos/prometheus-operator/pull/3157)

Comment 4 Junqi Zhao 2020-05-06 09:03:44 UTC
checked with 4.5.0-0.nightly-2020-05-05-205255, the parameters are right in the prometheus-operator image, but still wrong in the prometheus-operator deployment, example: tls-cipher-suites should be web.tls-cipher-suites
  -web.tls-cipher-suites string
    	Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).If omitted, the default Go cipher suites will be used.Note that TLS 1.3 ciphersuites are not configurable.
  -web.tls-min-version string
    	Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS13")

# oc -n openshift-monitoring get deploy/prometheus-operator -oyaml
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c7339851e78b1f7ca1579757620113e81384a0232f4851792c0082ecf07992f5
        imagePullPolicy: IfNotPresent
        name: prometheus-operator
	...
      - args:
        - --logtostderr
        - --secure-listen-address=:8443
        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --upstream=http://127.0.0.1:8080/
        - --tls-cert-file=/etc/tls/private/tls.crt
        - --tls-private-key-file=/etc/tls/private/tls.key

Comment 5 Paul Gier 2020-05-06 13:37:48 UTC
The "--tls-cipher-suites" parameter here is currently only used for the kube-rbac-proxy container.  We're not currently using this setting for the prometheus-operator.  The new parameter won't be used in openshift until we merge the prometheus rule validation webhook configuration which will be in 4.6.

I think this one is ok to close as long as the new parameter is available in prometheus-operator.

Comment 7 errata-xmlrpc 2020-07-13 17:32:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409