Bug 2067079

Summary: [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Eran Tamir <etamir>
Component: ocs-operatorAssignee: Jiffin <jthottan>
Status: CLOSED ERRATA QA Contact: Parikshith <pbyregow>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.8CC: assingh, jthottan, madam, mmuench, muagarwa, ocs-bugs, odf-bz-bot, olakra, sostapov, tdesala, tnielsen
Target Milestone: ---Keywords: FutureFeature
Target Release: ODF 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.11.0-66 Doc Type: Bug Fix
Doc Text:
.Add termination policy to `ocs-storagecluster-cephobjectstore` route Previously, in a closed environment, publicly accessible OpenShift routes were raising security concerns. When the existing route for RGW with SSL policy or deleted, the OCS-Operator was reconciled and reset to default. Resulting in security checks failing for RGW OpenShift routes. This release update provides an option to disable the route creation for RGW in the `storage-cluster.yaml` which allows the creation of an OpenShift route for RGW that can be disabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-24 13:49:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eran Tamir 2022-03-23 09:04:50 UTC 
This bug was initially created as a copy of Bug #2063691

I am copying this bug because: 

Separating between MCG and RGW routes. 

Description of problem (please be detailed as possible and provide log
snippets):

- Add termination policy to  ocs-storagecluster-cephobjectstore route


Version of all relevant components (if applicable):

- All

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

- Cu is getting compliant issues because of "EdgeTerminationPolicy" of these 
  routes.

Is there any workaround available to the best of your knowledge?

- The route can be patched with the following command but it gets reconciled.

oc patch route s3 -n openshift-storage --type merge -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"reencrypt"}}}'

- Thus we need to add this parameter in the Cephobjectstore CR so that it won't 
  be reconciled.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


N/A

Can this issue reproducible?

N/A

Can this issue reproduce from the UI?

N/A

If this is a regression, please provide more details to justify this:

N/A

Steps to Reproduce:
N/A

Actual results:

- The termination policy to ocs-storagecluster-cephobjectstore route gets reconciled.


Expected results:

- Add termination policy toocs-storagecluster-cephobjectstore route without reconcilation.


Additional info:

In the next steps.
Comment 4 Travis Nielsen 2022-03-30 16:56:26 UTC 
Moving to OCS operator where the fix is applicable
Comment 9 Martin Bukatovic 2022-05-09 17:53:25 UTC 
QE will test that ocs-storagecluster-cephobjectstore route has termination policy configuration '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"reencrypt"}}}' applied.
Comment 17 errata-xmlrpc 2022-08-24 13:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6156