Bug 1956245

Summary: [certificate renewal] not enforcing small time values and duration < renewBefore
Product: Container Native Virtualization (CNV) Reporter: ibesso <ibesso>
Component: InstallationAssignee: Simone Tiraboschi <stirabos>
Status: VERIFIED --- QA Contact: ibesso <ibesso>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.8.0CC: cnv-qe-bugs, stirabos
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hco-bundle-registry:v4.8.0-312 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ibesso 2021-05-03 09:55:28 UTC
Description of problem:
----------------------


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.8.0


How reproducible:
----------------
100%

Steps to Reproduce:
------------------

+++ Scenario A (small values) +++

1. oc edit hco kubevirt-hyperconverged -n openshift-cnv

2. set for any certConfig field value (ca/server - duration/renewBefore) with 1s.

3. save the change.

+++ Scenario B (duration < renewBefore) +++
1. oc edit hco kubevirt-hyperconverged -n openshift-cnv

2. set certConfig.ca.duration to 10m.

3. set certConfig.ca.renewBefore to 20m.

4. save the change.


Actual results:
--------------
Scenario A - value accepted.
Scenario B - values are accepted regardless of the given logical conflict (duration < renewBefore).

Expected results:
----------------
Scenario A - very small values should be rejected/reconciled.
Scenario B - this should be validated and rejected when editing/patching the CR. The diff factor between duration and renewBefore should be decided for enforcement, which will enforce consistently both scenarios, e.g. if the minimum value should be 5s, then we should enforce "duration + 5 >= renewBefore" as well.


Additional info:
---------------
decision required: what is a very small value?

Comment 1 ibesso 2021-05-27 18:42:17 UTC
Verified with a cluster installed from scratch CNV 4.8.0
--------------------------------------------------------
IIB: registry-proxy.engineering.redhat.com/rh-osbs/iib:76375
HCO:[v4.8.0-350]

I tried to change each of the certconfig fields to a value smaller than 10m. OK. A corresponding error was displayed:

[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca.duration: value is too small
You can run `oc replace -f /tmp/oc-edit-jfijg.yaml` to try this update again.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca.renewBefore: value is too small
You can run `oc replace -f /tmp/oc-edit-d69p5.yaml` to try this update again.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server.duration: value is too small
You can run `oc replace -f /tmp/oc-edit-kjqzg.yaml` to try this update again.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server.renewBefore: value is too small
You can run `oc replace -f /tmp/oc-edit-aid8z.yaml` to try this update again.

I tried to change the certconfig fields (in ca and server stanzas) to violate the condition duration <= renewBefore. OK. A corresponding error was displayed:

[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
Edit cancelled, no changes made.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca: duration is smaller than renewBefore
You can run `oc replace -f /tmp/oc-edit-j7am9.yaml` to try this update again.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged
error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server: duration is smaller than renewBefore
You can run `oc replace -f /tmp/oc-edit-hb3os.yaml` to try this update again.
[cnv-qe-jenkins@besso-48-rdc85-executor ~]$ 


Additionally, I tested the margins:
* 9m59s is rejected
* 10m is accepted

Movied to VERIFIED.