Bug 2242207
| Summary: | Incorrect error message thrown by hco when incorrect ciphers for minTLSVersion | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Geetika Kapoor <gkapoor> |
| Component: | Installation | Assignee: | Simone Tiraboschi <stirabos> |
| Status: | CLOSED MIGRATED | QA Contact: | SATHEESARAN <sasundar> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.14.0 | CC: | dbasunag, fmatouschek, stirabos |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | 4.15.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | hco-bundle-registry-container-v4.15.0.rhel9-1550 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-12-14 16:18:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
That error message comes from here: https://github.com/kubevirt/kubevirt/blob/d30cc7dcdf0f7ebd85070cc2c320d3e93ac38da3/pkg/virt-operator/webhooks/kubevirt-update-admitter.go#L250 Moving to the virt-component for further investigation. On second thought, the error message is completely correct. If you specify any cipher at all, the admission webhook rejects the resource. Thus the message "you cannot specify ciphers" is actually the correct error message. I would expect this command to fail too:
oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'
With VersionTLS13 you cannot set any ciphers at all.
Verified with CNV 4.15 ( Build v4.15.0.rhel9-1660 )
When trying to set HCO tlsSecurityProfile with 'custom' profile, with minTLSVersion as 'VersionTLS13'
and cipher suites, there is an meaningful error:
"custom ciphers cannot be selected when minTLSVersion is VersionTLS13"
<snip>
[ ~]$ oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13",ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]'
Error from server (Forbidden): admission webhook "validate-hco.kubevirt.io" denied the request: custom ciphers cannot be selected when minTLSVersion is VersionTLS13
</snip>
With this observation, verifying this bug.
|
Description of problem: Incorrect error message is thrown by hco when there cipher doesn't belong to same TLS version . example : oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256","ECDHE-RSA-AES128-SHA"]}, type: "Custom"} }]' The request is invalid: spec.configuration.tlsConfiguration.ciphers: You cannot specify ciphers when spec.configuration.tlsConfiguration.minTLSVersion is empty or VersionTLS13 "ECDHE-RSA-AES128-SHA" belongs to TLS v1.2 and this cipher cannot be used as it conflicts with minTLSVersion which is set as TLS 1.3 Remove this lower cipher : $ oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"]}, type: "Custom"} }]' hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged patched So error message is misleading that we cannot specify ciphers, we cannot patched with lower ciphers based on minTLSVersion. Version-Release number of selected component (if applicable): 4.14 How reproducible: always Steps to Reproduce: 1. Use oc patch hco kubevirt-hyperconverged -n openshift-cnv --type=json -p '[{"op": "replace", "path": /spec/tlsSecurityProfile, "value": {custom: {minTLSVersion: "VersionTLS13", ciphers: ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256","ECDHE-RSA-AES128-SHA"]}, type: "Custom"} }]' 2. 3. Actual results: Error message is misleading. Expected results: Additional info: