Bug 2071792 - Non-kubeadmin user will not have access to openshift-config ns to pull secret/CM for adding private HCR in a namespace
Summary: Non-kubeadmin user will not have access to openshift-config ns to pull secret...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.11
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.12.0
Assignee: kmamgain
QA Contact: Sushanta Das
Shreya Siddhartha
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-04 19:41 UTC by Debsmita Santra
Modified: 2023-01-17 19:48 UTC (History)
8 users (show)

Fixed In Version: 4.12
Doc Type: Bug Fix
Doc Text:
* Previously, the `openshift-config` namespace was hardcoded for the `HelmChartRepository` custom resource, which was the same namespace for the `ProjectHelmChartRepository` custom resource. This prevent users from adding private `ProjectHelmChartRepository` custom resources in their desired namespace. Consquently, users were unable to access secrets and configmaps in the `openshift-config` namespace. This update fixes the project Helm chart repository custom resource definition with a namespace field that can read the secret and configmaps from a namespace of choice by a user with the correct permissions. Additionally, the user can add secrets and configmaps to the accessible namespace, and they can add private Helm cart repositories in the namespace used the creation resources. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2071792[*BZ#2071792*])
Clone Of:
Environment:
Last Closed: 2023-01-17 19:48:11 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 11571 0 None open Bug 2071792: Support namespace of choice for the user that wants to use TLS verification 2022-08-10 17:09:42 UTC
Red Hat Issue Tracker RHDEVDOCS-4221 0 None None None 2022-07-06 12:24:55 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:48:35 UTC

Description Debsmita Santra 2022-04-04 19:41:36 UTC 
Description of problem:
A non-kubeadmin user will not have access to openshift-config namespace. As a result, the user will not be able to add a private helm chart repository in a ns as it would require adding secret & configmap in the above mentioned namespace. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. 
2. 
3.

Actual results:
The user is not able to access secrets/configmaps in the openshift-config namespace


Expected results:
The user should be able to add secret & configmap to an accessible namespace and should be able to add private helm chart repository in the namespace using the above created resources.


Additional info:
https://github.com/openshift/console/blob/master/pkg/helm/chartproxy/repos.go#L41

https://github.com/openshift/api/blob/master/helm/v1beta1/0000_10-project-helm-chart-repository.crd.yaml#L57
Comment 1 David Peraza 2022-04-04 21:06:22 UTC 
Will take a look at this, thanks for the find.
Comment 6 Christoph Jerolimov 2022-08-31 09:46:44 UTC 
Verified on 4.12.0-ec.2 with a user with limited access (only my own created projects) that I can create a ProjectHelmChartRepository and that I can see the results on the Add > Helm Charts page.

@dperaza @dsantra Added a note to the ODC/helm chart sync meeting if we want backport this change.
Comment 9 errata-xmlrpc 2023-01-17 19:48:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399
Note You need to log in before you can comment on or make changes to this bug.