Description of problem: ---------------------- Version-Release number of selected component (if applicable): ------------------------------------------------------------ 4.8.0 How reproducible: ---------------- 100% Steps to Reproduce: ------------------ +++ Scenario A (small values) +++ 1. oc edit hco kubevirt-hyperconverged -n openshift-cnv 2. set for any certConfig field value (ca/server - duration/renewBefore) with 1s. 3. save the change. +++ Scenario B (duration < renewBefore) +++ 1. oc edit hco kubevirt-hyperconverged -n openshift-cnv 2. set certConfig.ca.duration to 10m. 3. set certConfig.ca.renewBefore to 20m. 4. save the change. Actual results: -------------- Scenario A - value accepted. Scenario B - values are accepted regardless of the given logical conflict (duration < renewBefore). Expected results: ---------------- Scenario A - very small values should be rejected/reconciled. Scenario B - this should be validated and rejected when editing/patching the CR. The diff factor between duration and renewBefore should be decided for enforcement, which will enforce consistently both scenarios, e.g. if the minimum value should be 5s, then we should enforce "duration + 5 >= renewBefore" as well. Additional info: --------------- decision required: what is a very small value?
Verified with a cluster installed from scratch CNV 4.8.0 -------------------------------------------------------- IIB: registry-proxy.engineering.redhat.com/rh-osbs/iib:76375 HCO:[v4.8.0-350] I tried to change each of the certconfig fields to a value smaller than 10m. OK. A corresponding error was displayed: [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca.duration: value is too small You can run `oc replace -f /tmp/oc-edit-jfijg.yaml` to try this update again. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca.renewBefore: value is too small You can run `oc replace -f /tmp/oc-edit-d69p5.yaml` to try this update again. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server.duration: value is too small You can run `oc replace -f /tmp/oc-edit-kjqzg.yaml` to try this update again. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server.renewBefore: value is too small You can run `oc replace -f /tmp/oc-edit-aid8z.yaml` to try this update again. I tried to change the certconfig fields (in ca and server stanzas) to violate the condition duration <= renewBefore. OK. A corresponding error was displayed: [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged Edit cancelled, no changes made. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.ca: duration is smaller than renewBefore You can run `oc replace -f /tmp/oc-edit-j7am9.yaml` to try this update again. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ oc edit hco -n openshift-cnv kubevirt-hyperconverged error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig.server: duration is smaller than renewBefore You can run `oc replace -f /tmp/oc-edit-hb3os.yaml` to try this update again. [cnv-qe-jenkins@besso-48-rdc85-executor ~]$ Additionally, I tested the margins: * 9m59s is rejected * 10m is accepted Movied to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.8.0 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2920