Bug 1829501 - Fix TLS parameter parsing in prometheus-operator
Summary: Fix TLS parameter parsing in prometheus-operator
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.5.0
Assignee: Paul Gier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-29 16:13 UTC by Paul Gier
Modified: 2020-07-13 17:33 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:32:51 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift prometheus-operator pull 67 0 None closed Bug 1829501: fix TLS cli parameters 2020-06-24 01:29:05 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:33:14 UTC

Description Paul Gier 2020-04-29 16:13:10 UTC
Description of problem:

Two of the new TLS flags (web.tls-min-version and web.tls-cipher-suites) were added as part of the default flagset instead of the locally defined flagset causing them to not be parsed correctly.  This fix should be backported from upstream (https://github.com/coreos/prometheus-operator/pull/3157)

Comment 4 Junqi Zhao 2020-05-06 09:03:44 UTC
checked with 4.5.0-0.nightly-2020-05-05-205255, the parameters are right in the prometheus-operator image, but still wrong in the prometheus-operator deployment, example: tls-cipher-suites should be web.tls-cipher-suites
  -web.tls-cipher-suites string
    	Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).If omitted, the default Go cipher suites will be used.Note that TLS 1.3 ciphersuites are not configurable.
  -web.tls-min-version string
    	Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS13")

# oc -n openshift-monitoring get deploy/prometheus-operator -oyaml
        image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c7339851e78b1f7ca1579757620113e81384a0232f4851792c0082ecf07992f5
        imagePullPolicy: IfNotPresent
        name: prometheus-operator
	...
      - args:
        - --logtostderr
        - --secure-listen-address=:8443
        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - --upstream=http://127.0.0.1:8080/
        - --tls-cert-file=/etc/tls/private/tls.crt
        - --tls-private-key-file=/etc/tls/private/tls.key

Comment 5 Paul Gier 2020-05-06 13:37:48 UTC
The "--tls-cipher-suites" parameter here is currently only used for the kube-rbac-proxy container.  We're not currently using this setting for the prometheus-operator.  The new parameter won't be used in openshift until we merge the prometheus rule validation webhook configuration which will be in 4.6.

I think this one is ok to close as long as the new parameter is available in prometheus-operator.

Comment 7 errata-xmlrpc 2020-07-13 17:32:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.