Bug 2166923 - Support HCO jsonpatch annotation for SSP
Summary: Support HCO jsonpatch annotation for SSP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Installation
Version: 4.12.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 4.12.2
Assignee: Simone Tiraboschi
QA Contact: SATHEESARAN
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-02-03 14:16 UTC by SATHEESARAN
Modified: 2023-03-29 17:36 UTC (History)
2 users (show)

Fixed In Version: hco-bundle-registry-container-v4.12.2-2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-29 17:36:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt hyperconverged-cluster-operator pull 2229 0 None Merged Introduce a new jsonpatch annotation for SSP 2023-02-14 14:45:39 UTC
Github kubevirt hyperconverged-cluster-operator pull 2240 0 None Merged [release-1.8] Introduce a new jsonpatch annotation for SSP (#2229) 2023-02-14 14:45:40 UTC
Red Hat Issue Tracker CNV-25035 0 None None None 2023-02-03 14:17:07 UTC
Red Hat Product Errata RHEA-2023:1523 0 None None None 2023-03-29 17:36:20 UTC

Description SATHEESARAN 2023-02-03 14:16:33 UTC 
Description of problem:
-----------------------
HCO jsonpatch annotation[1] support modifying HCO managed CRs (i.e) KubeVirt, CDI, CNAO. There is no support for changing SSP using HCO jsonpatch annotation.

In the case of Crypto policy feature for CNV v4.12, to enable modifing TLS security policy of specific CR (i.e) SSP, we would need HCO jsonpatch annotation support SSP.

[1] - https://github.com/kubevirt/hyperconverged-cluster-operator/blob/main/docs/cluster-configuration.md#jsonpatch-annotations

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
CNV v4.12

How reproducible:
-----------------
Always

Steps to Reproduce:
-------------------
1. Modify SSP .spec.tlsSecurityProfile using HCO jsonpatch annotation
# oc annotate --overwrite hco kubevirt-hyperconverged -n openshift-cnv ssp.kubevirt.io/jsonpatch='[{"op": "add", "path": "/spec/tlsSecurityProfile", "value": {"type": "Old", "old": {}, "intermediate": null, "modern": null, "custom": null}}]'

Actual results:
---------------
HCO jsonpatch annotation doesn't work to update SSP

Expected results:
-----------------
HCO jsonpatch annotation should support updating SSP operator
Comment 2 SATHEESARAN 2023-03-07 12:38:33 UTC 
Tested with CNV v4.12.2-7. HCO supports jsonpatch annotation for SSP using the key 'ssp.kubevirt.io/jsonpatch'

Following is the test performed to verify this bug:
1. Get the value of ssp.spec.tlsSecurityProfile
$ oc get ssp ssp-kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.tlsSecurityProfile}'
{"intermediate":{},"type":"Intermediate"}

2. Add HCO jsonpatch annotation to modify ssp.spec.tlsSecurityProfile to 'Old' profile
$ oc annotate --overwrite hco kubevirt-hyperconverged -n openshift-cnv ssp.kubevirt.io/jsonpatch='[{"op": "add", "path": "/spec/tlsSecurityProfile", "value": {"type": "Old", "old":{}, "intermediate": null, "modern": null, "custom": null}}]'
hyperconverged.hco.kubevirt.io/kubevirt-hyperconverged annotated

3. Validate that ssp.spec.tlsSecurityProfile is updated.
$ oc get ssp ssp-kubevirt-hyperconverged -n openshift-cnv -o jsonpath='{.spec.tlsSecurityProfile}'
{"old":{},"type":"Old"}


Moving this bug to VERIFIED based on the above validation.
Comment 12 errata-xmlrpc 2023-03-29 17:36:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Virtualization 4.12.2 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:1523
Note You need to log in before you can comment on or make changes to this bug.