Bug 2067079 - [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route
Summary: [GSS] [RFE] Add termination policy to ocs-storagecluster-cephobjectstore route
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: ocs-operator
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ODF 4.11.0
Assignee: Jiffin
QA Contact: Parikshith
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-23 09:04 UTC by Eran Tamir
Modified: 2023-08-09 17:00 UTC (History)
11 users (show)

Fixed In Version: 4.11.0-66
Doc Type: Bug Fix
Doc Text:
.Add termination policy to `ocs-storagecluster-cephobjectstore` route Previously, in a closed environment, publicly accessible OpenShift routes were raising security concerns. When the existing route for RGW with SSL policy or deleted, the OCS-Operator was reconciled and reset to default. Resulting in security checks failing for RGW OpenShift routes. This release update provides an option to disable the route creation for RGW in the `storage-cluster.yaml` which allows the creation of an OpenShift route for RGW that can be disabled.
Clone Of:
Environment:
Last Closed: 2022-08-24 13:49:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github red-hat-storage ocs-ci pull 6447 0 None Merged Closed loop 2067079 2063691: Test s3 routes update/reconcile 2022-09-27 11:05:23 UTC
Github red-hat-storage ocs-operator pull 1600 0 None open Bug 2067079: add termination policy to TLS in cephobjectstore route 2022-03-23 13:50:19 UTC
Github red-hat-storage ocs-operator pull 1618 0 None open add a option to disable route for cephobjectstore 2022-04-06 12:00:51 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:50:41 UTC

Description Eran Tamir 2022-03-23 09:04:50 UTC 
This bug was initially created as a copy of Bug #2063691

I am copying this bug because: 

Separating between MCG and RGW routes. 

Description of problem (please be detailed as possible and provide log
snippets):

- Add termination policy to  ocs-storagecluster-cephobjectstore route


Version of all relevant components (if applicable):

- All

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?

- Cu is getting compliant issues because of "EdgeTerminationPolicy" of these 
  routes.

Is there any workaround available to the best of your knowledge?

- The route can be patched with the following command but it gets reconciled.

oc patch route s3 -n openshift-storage --type merge -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"reencrypt"}}}'

- Thus we need to add this parameter in the Cephobjectstore CR so that it won't 
  be reconciled.

Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


N/A

Can this issue reproducible?

N/A

Can this issue reproduce from the UI?

N/A

If this is a regression, please provide more details to justify this:

N/A

Steps to Reproduce:
N/A

Actual results:

- The termination policy to ocs-storagecluster-cephobjectstore route gets reconciled.


Expected results:

- Add termination policy toocs-storagecluster-cephobjectstore route without reconcilation.


Additional info:

In the next steps.
Comment 4 Travis Nielsen 2022-03-30 16:56:26 UTC 
Moving to OCS operator where the fix is applicable
Comment 9 Martin Bukatovic 2022-05-09 17:53:25 UTC 
QE will test that ocs-storagecluster-cephobjectstore route has termination policy configuration '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"reencrypt"}}}' applied.
Comment 17 errata-xmlrpc 2022-08-24 13:49:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, & bugfix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:6156
Note You need to log in before you can comment on or make changes to this bug.