Bug 1957822 - Update apiserver tlsSecurityProfile description to include Custom profile
Summary: Update apiserver tlsSecurityProfile description to include Custom profile
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.8.0
Assignee: Standa Laznicka
QA Contact: liyao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-06 14:30 UTC by Andrea Hoffer
Modified: 2021-07-27 23:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:06:51 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 922 0 None open Bug 1957822: apiserver.config: add 'Custom' to available TLSSecurityProfiles 2021-05-11 11:25:26 UTC
Github openshift cluster-config-operator pull 206 0 None open Bug 1957822: bump o/api to get the apiserver.TLSProfile doc update 2021-06-08 08:00:30 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:07:14 UTC

Description Andrea Hoffer 2021-05-06 14:30:29 UTC 
Description of problem:

oc explain apiserver.spec shows this description for the tlsSecurityProfile field:

>   tlsSecurityProfile	<Object>
>     tlsSecurityProfile specifies settings for TLS connections for externally
>     exposed servers. If unset, a default (which may change between releases) is
>     chosen. Note that only Old and Intermediate profiles are currently
>     supported, and the maximum available MinTLSVersions is VersionTLS12.

This mentions that only Old and Intermediate profiles are supported, but Custom should also be added.

Should also take a look at the output for "oc explain apiserver.spec.tlsSecurityProfile". This lists the "modern" field and "Modern as an option for "type", which I don't think is a valid option.


Version-Release number of selected component (if applicable):

Client Version: 4.8.0-202104292348.p0-a765590
Server Version: 4.8.0-0.nightly-2021-04-30-201824
Kubernetes Version: v1.21.0-rc.0+aa1dc1f
Comment 2 liyao 2021-06-07 08:14:06 UTC 
Tested in 4.8.0-0.nightly-2021-06-06-164529:

oc explain apiserver.spec output shows only Old and Intermediate profiles, Custom is not added.

   tlsSecurityProfile	<Object>
     tlsSecurityProfile specifies settings for TLS connections for externally
     exposed servers. If unset, a default (which may change between releases) is
     chosen. Note that only Old and Intermediate profiles are currently
     supported, and the maximum available MinTLSVersions is VersionTLS12.
Comment 4 liyao 2021-06-15 03:51:25 UTC 
Tested in 4.8.0-0.nightly-2021-06-14-145150

oc explain apiserver.spec output shows Custom Profile is added.
   tlsSecurityProfile	<Object>
     tlsSecurityProfile specifies settings for TLS connections for externally
     exposed servers. If unset, a default (which may change between releases) is
     chosen. Note that only Old, Intermediate and Custom profiles are currently
     supported, and the maximum available MinTLSVersions is VersionTLS12.
Comment 7 errata-xmlrpc 2021-07-27 23:06:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.