Bug 1956245 - [certificate renewal] not enforcing small time values and duration < renewBefore
Summary: [certificate renewal] not enforcing small time values and duration < renewBefore
Keywords:
Status: ON_QA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Installation
Version: 4.8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.8.0
Assignee: Simone Tiraboschi
QA Contact: Inbar Rose
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-03 09:55 UTC by ibesso
Modified: 2021-05-05 22:03 UTC (History)
2 users (show)

Fixed In Version: hco-bundle-registry:v4.8.0-312
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt hyperconverged-cluster-operator pull 1311 0 None closed Enforce more checks on certConfig 2021-05-04 15:30:48 UTC
Github kubevirt hyperconverged-cluster-operator pull 1315 0 None closed [release-1.4] Enforce more checks on certConfig 2021-05-04 15:30:56 UTC
Github kubevirt hyperconverged-cluster-operator pull 1316 0 None closed Change the enforced min value for cert rotation 2021-05-04 15:30:58 UTC
Github kubevirt hyperconverged-cluster-operator pull 1321 0 None closed [release-1.4] Change the enforced min value for cert rotation 2021-05-05 09:51:49 UTC

Description ibesso 2021-05-03 09:55:28 UTC
Description of problem:
----------------------


Version-Release number of selected component (if applicable):
------------------------------------------------------------
4.8.0


How reproducible:
----------------
100%

Steps to Reproduce:
------------------

+++ Scenario A (small values) +++

1. oc edit hco kubevirt-hyperconverged -n openshift-cnv

2. set for any certConfig field value (ca/server - duration/renewBefore) with 1s.

3. save the change.

+++ Scenario B (duration < renewBefore) +++
1. oc edit hco kubevirt-hyperconverged -n openshift-cnv

2. set certConfig.ca.duration to 10m.

3. set certConfig.ca.renewBefore to 20m.

4. save the change.


Actual results:
--------------
Scenario A - value accepted.
Scenario B - values are accepted regardless of the given logical conflict (duration < renewBefore).

Expected results:
----------------
Scenario A - very small values should be rejected/reconciled.
Scenario B - this should be validated and rejected when editing/patching the CR. The diff factor between duration and renewBefore should be decided for enforcement, which will enforce consistently both scenarios, e.g. if the minimum value should be 5s, then we should enforce "duration + 5 >= renewBefore" as well.


Additional info:
---------------
decision required: what is a very small value?


Note You need to log in before you can comment on or make changes to this bug.