2283797 – ODF Nooba creates route which OpenShift compliance operator marks as non-compliant

Bug 2283797 - ODF Nooba creates route which OpenShift compliance operator marks as non-compliant

Summary: ODF Nooba creates route which OpenShift compliance operator marks as non-comp...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenShift Data Foundation
Classification:	Red Hat Storage
Component:	ocs-operator
Sub Component:
Version:	4.16
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	ODF 4.16.0
Assignee:	Nitin Goyal
QA Contact:	Shivam Durgbuns
Docs Contact:
URL:
Whiteboard:
Depends On:	2222146
Blocks:
TreeView+	depends on / blocked

Reported:	2024-05-29 11:51 UTC by Nitin Goyal
Modified:	2024-07-17 13:24 UTC (History)
CC List:	14 users (show)
Fixed In Version:	4.16.0-118
Doc Type:	Enhancement
Doc Text:	.Multicloud Object Gateway created routes to to work with HTTPS only For deployments that want to disable HTTP and use only HTTPS, an option is added to set `DenyHTTP` to the storage cluster CR “spec.multiCloudGateway.denyHTTP”. This causes the Multicloud Object Gateway created routes to use HTTPS only.
Clone Of:	2222146
Environment:
Last Closed:	2024-07-17 13:24:02 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	red-hat-storage ocs-operator pull 2632	None	open	noobaa: provide denyHTTP option to NooBaa CR	2024-05-29 11:52:57 UTC
Github	red-hat-storage ocs-operator pull 2633	None	open	Bug 2283797:[release-4.16] noobaa: provide denyHTTP option to NooBaa CR	2024-05-29 12:37:48 UTC
Red Hat Product Errata	RHSA-2024:4591	None	None	None	2024-07-17 13:24:06 UTC

Description Nitin Goyal 2024-05-29 11:51:56 UTC

+++ This bug was initially created as a clone of Bug #2222146 +++

Description of problem (please be detailed as possible and provide log
snippests): 

ODF generates this route which the OCP compliance operator flags as non-complaint as it scans only `insecureEdgeTerminationPolicy: None | Redirect` but not `Allow` 

Compliance code : https://github.com/ComplianceAsCode/content/commit/1de41ddd8b2dad9b182d9fdc5b8fac3ef5bf2987#diff-449e1d7f982cf0a61ed9e0f3d8899d022efedf8c7e20a5e44c53aae27cf58c86R23
 
~~~
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  creationTimestamp: "2023-06-28T19:45:56Z"
  labels:
    app: noobaa
  name: s3
  namespace: openshift-storage
  ownerReferences:
  - apiVersion: noobaa.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: NooBaa
    name: noobaa
    uid: c328db12-fe02-40e6-8424-873a36f71c53
  resourceVersion: "264239411"
  uid: f25864ed-ed87-4fdd-b10d-f39e2395d18b
spec:
  host: s3-openshift-storage.apps.serenity.k8s.local
  port:
    targetPort: s3-https
  tls:
    insecureEdgeTerminationPolicy: Allow
    termination: reencrypt
  to:
    kind: Service
    name: s3
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2023-06-28T19:45:56Z"
      status: "True"
      type: Admitted
    host: s3-openshift-storage.apps.serenity.k8s.local
    routerCanonicalHostname: router-default.apps.serenity.k8s.local
    routerName: default
    wildcardPolicy: None
~~~


Version of all relevant components (if applicable): OCP 4.13 https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-operator-release-notes.html


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)? Yes , Since OpenShift complaince operator marks ODF route to be non-compliant so it makes some customers and partners ODF installations non-compliant.


Is there any workaround available to the best of your knowledge? No


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)? 3


Can this issue reproducible? Yes


Can this issue reproduce from the UI? Yes


If this is a regression, please provide more details to justify this: N/A


Steps to Reproduce:
1. Install OCP 4.13 and ODF latest version 
2. Install OCP compliance operator
3. Run scan https://docs.openshift.com/container-platform/4.13/security/compliance_operator/compliance-scans.html


Actual results: Scan marks the route described above as non-complaint


Expected results: ODF should not create route with spec `insecureEdgeTerminationPolicy: Allow`


Additional info: N/A

--- Additional comment from RHEL Program Management on 2023-07-12 00:38:45 UTC ---

This bug having no release flag set previously, is now set with release flag 'odf‑4.14.0' to '?', and so is being proposed to be fixed at the ODF 4.14.0 release. Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag.

--- Additional comment from Nimrod Becker on 2023-07-20 07:38:21 UTC ---

This comes from the desire to provide HTTP access to the S3 service, especially within the OCP cluster.
Talking to Eran (PM) we decided not to change the default and still allow HTTP, but also provide an option for customers to opt-out and disable HTTP, forcing HTTPS usage only.

--- Additional comment from Red Hat Bugzilla on 2023-08-03 08:28:27 UTC ---

Account disabled by LDAP Audit

--- Additional comment from Nimrod Becker on 2023-08-09 09:17:47 UTC ---

Past the milestone for developing and testing in 4.14, pushing to 4.15

--- Additional comment from Ronit Dey on 2023-10-03 06:35:17 UTC ---

Hello Team,

Do we have any leads/updates on this? Customers are looking forward to it. Thank you in advance.

--- Additional comment from Nimrod Becker on 2023-11-02 08:27:54 UTC ---

This has to be fixed in upstream first, then we can decide if we want to backport this to 4.14.z (and/pr further down).
Please coordinate with Eran/Bipin/Michael regarding backporting.

--- Additional comment from Novonil Choudhuri on 2023-11-02 16:22:14 UTC ---

@Nimrod : Can you please provide the upstream issue here.

--- Additional comment from Nimrod on 2023-11-10 06:00:36 UTC ---

Removed the email 'nimrody' which has nothing to do with this bug.

--- Additional comment from Ronit Dey on 2023-11-15 02:07:24 UTC ---

Hello @nbecker,

Hope you are doing well. Thank you for writing back. Can you provide the respective email ids of Eran/Bipin/Michael or their full names? So, that I can reach out to them regarding backporting.

Adding to it provide the upstream issue here.

--- Additional comment from Ronit Dey on 2023-11-15 02:07:47 UTC ---

Hello @nbecker,

Hope you are doing well. Thank you for writing back. Can you provide the respective email ids of Eran/Bipin/Michael or their full names? So, that I can reach out to them regarding backporting.

Adding to it provide the upstream issue here.

--- Additional comment from Ronit Dey on 2023-11-15 02:09:57 UTC ---

Hello @jalbo,

Do we have any leads/updates on this? Customers are looking forward to it. Thank you in advance.

--- Additional comment from Asmita on 2023-12-25 08:45:07 UTC ---

Hello @jalbo,

Do we have any leads/updates on this? Customers are looking forward to it. Thank you in advance.

--- Additional comment from Nimrod Becker on 2024-01-03 09:18:29 UTC ---

This is an RFE, moving out to 4.16 was not planned for 4.15

@eran FYI this is an RFE we can do at the KCS/Dev preview level

--- Additional comment from Eran Tamir on 2024-01-07 09:21:36 UTC ---

Created dev preview for 4.16 https://issues.redhat.com/browse/RHSTOR-5250
@ebenahar FYI

--- Additional comment from Jacky Albo on 2024-03-18 15:44:58 UTC ---

Added denyHTTP variable to NooBaa CRD, the default will be false, but once set to true insecureEdgeTerminationPolicy will be changed from Allow to None.

--- Additional comment from RHEL Program Management on 2024-03-19 13:09:58 UTC ---

This BZ is being approved for ODF 4.16.0 release, upon receipt of the 3 ACKs (PM,Devel,QA) for the release flag 'odf‑4.16.0

--- Additional comment from RHEL Program Management on 2024-03-19 13:09:58 UTC ---

Since this bug has been approved for ODF 4.16.0 release, through release flag 'odf-4.16.0+', the Target Release is being set to 'ODF 4.16.0

--- Additional comment from errata-xmlrpc on 2024-04-23 12:54:09 UTC ---

This bug has been added to advisory RHBA-2023:125619 by Boris Ranto (branto)

--- Additional comment from Sunil Kumar Acharya on 2024-04-24 16:29:18 UTC ---

Please update the RDT flag/text appropriately.

--- Additional comment from Tiffany Nguyen on 2024-05-01 16:57:44 UTC ---

Verified with build 4.16.0-89.
Edit noobaa to set "denyHTTP: true", "insecureEdgeTerminationPolicy" changes to "None" as expected.

<snipped>

spec:
  host: s3-openshift-storage.apps.tunguyen-429.ibmcloud2.qe.rh-ocs.com
  port:
    targetPort: s3-https
  tls:
    insecureEdgeTerminationPolicy: None
    termination: reencrypt
  to:
    kind: Service
    name: s3
    weight: 100
  wildcardPolicy: None

Comment 5 Sunil Kumar Acharya 2024-06-06 07:34:46 UTC

Please update the RDT flag/text appropriately.

Comment 8 errata-xmlrpc 2024-07-17 13:24:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.16.0 security, enhancement & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:4591

Note You need to log in before you can comment on or make changes to this bug.