Bug 2166923

Summary: Support HCO jsonpatch annotation for SSP
Product: Container Native Virtualization (CNV) Reporter: SATHEESARAN <sasundar>
Component: InstallationAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.12.0CC: kmajcher, stirabos
Target Milestone: ---   
Target Release: 4.12.2   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: hco-bundle-registry-container-v4.12.2-2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-29 17:36:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description SATHEESARAN 2023-02-03 14:16:33 UTC 
Description of problem:
-----------------------
HCO jsonpatch annotation[1] support modifying HCO managed CRs (i.e) KubeVirt, CDI, CNAO. There is no support for changing SSP using HCO jsonpatch annotation.

In the case of Crypto policy feature for CNV v4.12, to enable modifing TLS security policy of specific CR (i.e) SSP, we would need HCO jsonpatch annotation support SSP.

[1] - https://github.com/kubevirt/hyperconverged-cluster-operator/blob/main/docs/cluster-configuration.md#jsonpatch-annotations

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
CNV v4.12

How reproducible:
-----------------
Always

Steps to Reproduce:
-------------------
1. Modify SSP .spec.tlsSecurityProfile using HCO jsonpatch annotation
# oc annotate --overwrite hco kubevirt-hyperconverged -n openshift-cnv ssp.kubevirt.io/jsonpatch='[{"op": "add", "path": "/spec/tlsSecurityProfile", "value": {"type": "Old", "old": {}, "intermediate": null, "modern": null, "custom": null}}]'

Actual results:
---------------
HCO jsonpatch annotation doesn't work to update SSP

Expected results:
-----------------
HCO jsonpatch annotation should support updating SSP operator
Comment 2 SATHEESARAN 2023-03-07 12:38:33 UTC 
Tested with CNV v4.12.2-7. HCO supports jsonpatch annotation for SSP using the key 'ssp.kubevirt.io/jsonpatch'

Following is the test performed to verify this bug:
1. Get the value of ssp.spec.tlsSecurityProfile
$ oc get ssp ssp-kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.tlsSecurityProfile}'
{"intermediate":{},"type":"Intermediate"}

2. Add HCO jsonpatch annotation to modify ssp.spec.tlsSecurityProfile to 'Old' profile
$ oc annotate --overwrite hco kubevirt-hyperconverged -n openshift-cnv ssp.kubevirt.io/jsonpatch='[{"op": "add", "path": "/spec/tlsSecurityProfile", "value": {"type": "Old", "old":{}, "intermediate": null, "modern": null, "custom": null}}]'
hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged annotated

3. Validate that ssp.spec.tlsSecurityProfile is updated.
$ oc get ssp ssp-kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.tlsSecurityProfile}'
{"old":{},"type":"Old"}


Moving this bug to VERIFIED based on the above validation.
Comment 12 errata-xmlrpc 2023-03-29 17:36:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.12.2 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:1523