Description of problem (please be detailed as possible and provide log snippests): ODF generates this route which the OCP compliance operator flags as non-complaint as it scans only `insecureEdgeTerminationPolicy: None | Redirect` but not `Allow` Compliance code : https://github.com/ComplianceAsCode/content/commit/1de41ddd8b2dad9b182d9fdc5b8fac3ef5bf2987#diff-449e1d7f982cf0a61ed9e0f3d8899d022efedf8c7e20a5e44c53aae27cf58c86R23 ~~~ apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: "2023-06-28T19:45:56Z" labels: app: noobaa name: s3 namespace: openshift-storage ownerReferences: - apiVersion: noobaa.io/v1alpha1 blockOwnerDeletion: true controller: true kind: NooBaa name: noobaa uid: c328db12-fe02-40e6-8424-873a36f71c53 resourceVersion: "264239411" uid: f25864ed-ed87-4fdd-b10d-f39e2395d18b spec: host: s3-openshift-storage.apps.serenity.k8s.local port: targetPort: s3-https tls: insecureEdgeTerminationPolicy: Allow termination: reencrypt to: kind: Service name: s3 weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: "2023-06-28T19:45:56Z" status: "True" type: Admitted host: s3-openshift-storage.apps.serenity.k8s.local routerCanonicalHostname: router-default.apps.serenity.k8s.local routerName: default wildcardPolicy: None ~~~ Version of all relevant components (if applicable): OCP 4.13 https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-release-notes.html Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes , Since OpenShift complaince operator marks ODF route to be non-compliant so it makes some customers and partners ODF installations non-compliant. Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 3 Can this issue reproducible? Yes Can this issue reproduce from the UI? Yes If this is a regression, please provide more details to justify this: N/A Steps to Reproduce: 1. Install OCP 4.13 and ODF latest version 2. Install OCP compliance operator 3. Run scan https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-scans.html Actual results: Scan marks the route described above as non-complaint Expected results: ODF should not create route with spec `insecureEdgeTerminationPolicy: Allow` Additional info: N/A
Removed the email 'nimrody' which has nothing to do with this bug.
Verified with build 4.16.0-89. Edit noobaa to set "denyHTTP: true", "insecureEdgeTerminationPolicy" changes to "None" as expected. <snipped> spec: host: s3-openshift-storage.apps.tunguyen-429.ibmcloud2.qe.rh-ocs.com port: targetPort: s3-https tls: insecureEdgeTerminationPolicy: None termination: reencrypt to: kind: Service name: s3 weight: 100 wildcardPolicy: None
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:4591