Bug 2222146

Summary: ODF Nooba creates route which OpenShift compliance operator marks as non-compliant
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Novonil Choudhuri <nchoudhu>
Component: Multi-Cloud Object GatewayAssignee: Jacky Albo <jalbo>
Status: CLOSED ERRATA QA Contact: Tiffany Nguyen <tunguyen>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.13CC: agawand, asriram, ebenahar, etamir, jalbo, kbg, nbecker, nimrody, odf-bz-bot, rdey, tdesala
Target Milestone: ---   
Target Release: ODF 4.16.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 4.16.0-39 Doc Type: Enhancement
Doc Text:
.Multicloud Object Gateway created routes to work with HTTPS only For deployments that want to disable HTTP and use only HTTPS, an option is added to set `DenyHTTP` to the storage cluster CR “spec.multiCloudGateway.denyHTTP”. This causes the Multicloud Object Gateway created routes to use HTTPS only.
 Story Points: ---
Clone Of:
: 2283797 (view as bug list) Environment:
Last Closed: 2024-07-17 13:11:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2260844, 2283797    

Description Novonil Choudhuri 2023-07-12 00:38:36 UTC 
Description of problem (please be detailed as possible and provide log
snippests): 

ODF generates this route which the OCP compliance operator flags as non-complaint as it scans only `insecureEdgeTerminationPolicy: None | Redirect` but not `Allow` 

Compliance code : https://github.com/ComplianceAsCode/content/commit/1de41ddd8b2dad9b182d9fdc5b8fac3ef5bf2987#diff-449e1d7f982cf0a61ed9e0f3d8899d022efedf8c7e20a5e44c53aae27cf58c86R23
 
~~~
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  creationTimestamp: "2023-06-28T19:45:56Z"
  labels:
    app: noobaa
  name: s3
  namespace: openshift-storage
  ownerReferences:
  - apiVersion: noobaa.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: NooBaa
    name: noobaa
    uid: c328db12-fe02-40e6-8424-873a36f71c53
  resourceVersion: "264239411"
  uid: f25864ed-ed87-4fdd-b10d-f39e2395d18b
spec:
  host: s3-openshift-storage.apps.serenity.k8s.local
  port:
    targetPort: s3-https
  tls:
    insecureEdgeTerminationPolicy: Allow
    termination: reencrypt
  to:
    kind: Service
    name: s3
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2023-06-28T19:45:56Z"
      status: "True"
      type: Admitted
    host: s3-openshift-storage.apps.serenity.k8s.local
    routerCanonicalHostname: router-default.apps.serenity.k8s.local
    routerName: default
    wildcardPolicy: None
~~~


Version of all relevant components (if applicable): OCP 4.13 https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-release-notes.html


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)? Yes , Since OpenShift complaince operator marks ODF route to be non-compliant so it makes some customers and partners ODF installations non-compliant.


Is there any workaround available to the best of your knowledge? No


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)? 3


Can this issue reproducible? Yes


Can this issue reproduce from the UI? Yes


If this is a regression, please provide more details to justify this: N/A


Steps to Reproduce:
1. Install OCP 4.13 and ODF latest version 
2. Install OCP compliance operator
3. Run scan https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-scans.html


Actual results: Scan marks the route described above as non-complaint


Expected results: ODF should not create route with spec `insecureEdgeTerminationPolicy: Allow`


Additional info: N/A
Comment 8 Nimrod 2023-11-10 06:00:36 UTC 
Removed the email 'nimrody' which has nothing to do with this bug.
Comment 20 Tiffany Nguyen 2024-05-01 16:57:44 UTC 
Verified with build 4.16.0-89.
Edit noobaa to set "denyHTTP: true", "insecureEdgeTerminationPolicy" changes to "None" as expected.

<snipped>

spec:
  host: s3-openshift-storage.apps.tunguyen-429.ibmcloud2.qe.rh-ocs.com
  port:
    targetPort: s3-https
  tls:
    insecureEdgeTerminationPolicy: None
    termination: reencrypt
  to:
    kind: Service
    name: s3
    weight: 100
  wildcardPolicy: None
Comment 22 errata-xmlrpc 2024-07-17 13:11:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:4591