Skip to content

[release-4.15] OCPBUGS-28928: Prevent upgrades for SHA1 default cert and SHA1 route certs #1014

Merged
openshift-merge-bot[bot] merged 5 commits intoopenshift:release-4.15from
gcs278:OCPBUGS-26498
Jun 12, 2024
Merged

[release-4.15] OCPBUGS-28928: Prevent upgrades for SHA1 default cert and SHA1 route certs #1014
openshift-merge-bot[bot] merged 5 commits intoopenshift:release-4.15from
gcs278:OCPBUGS-26498

Conversation

@gcs278
Copy link
Contributor

@gcs278 gcs278 commented Jan 8, 2024
edited
Loading

Note: This is NOT a backport or cherry-pick of any commits, but instead a discrete PR targeting 4.15.

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the UnservableInFutureVersions condition in the routes. The UnservableInFutureVersions will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a UnservableInFutureVersions condition is found. This logic assumes any UnservableInFutureVersions route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so it is only targeting the release-4.15 branch and we will be merged in the backport of https://issues.redhat.com/browse/OCPBUGS-26498. The code should not be merged into 4.16.

This PR leveraged logic from openshift/vmware-vsphere-csi-driver-operator#171.

This PR depends on openshift/router#585 for E2E test to succeed.

@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jan 8, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 8, 2024

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

If the default certificate is using SHA1, then set Upgradeable to be False. With OpenSSL3.0 provided by RHEL9, the router will fail to start if any cert provided is SHA1.

This commit also removes the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

pkg/operator/controller/ingress/status.go: Refactor checkDefaultCertificate to check for SHA1-based certs.
pkg/operator/controller/ingress/status_test.go: Add test coverage to Test_computeIngressUpgradeableCondition for SHA1-based certs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 8, 2024
@openshift-ci openshift-ci bot requested review from candita and rfredette January 8, 2024 21:17
@gcs278 gcs278 changed the title OCPBUGS-26498: Set Upgradeable=False if default cert uses SHA1 [WIP] OCPBUGS-26498: Set Upgradeable=False if default cert uses SHA1 Jan 8, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 8, 2024
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 18, 2024
@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jan 26, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 26, 2024

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

Details

In response to this:

If the default certificate is using SHA1, then set Upgradeable to be False. With OpenSSL3.0 provided by RHEL9, the router will fail to start if any cert provided is SHA1.

This commit also removes the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

pkg/operator/controller/ingress/status.go: Refactor checkDefaultCertificate to check for SHA1-based certs.
pkg/operator/controller/ingress/status_test.go: Add test coverage to Test_computeIngressUpgradeableCondition for SHA1-based certs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jan 26, 2024
@openshift-ci openshift-ci bot requested a review from ShudiLi January 26, 2024 21:53
@gcs278 gcs278 force-pushed the OCPBUGS-26498 branch 2 times, most recently from 4ea39b1 to a565640 Compare January 30, 2024 16:46
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 30, 2024
@gcs278 gcs278 mentioned this pull request Jan 30, 2024
Merged
@gcs278 gcs278 changed the title [WIP] OCPBUGS-26498: Set Upgradeable=False if default cert uses SHA1 [WIP] OCPBUGS-26498: Prevent upgrades for SHA1 default cert and SHA1 route certs Jan 30, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 30, 2024

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.16.0) matches configured target version for branch (4.16.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False. Also remove the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the Deprecated condition in the routes. The Deprecated will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a Deprecated condition is found. This logic assumes any Deprecated route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so will need to be backported to 4.15 to be useful. It can later be removed in 4.16+ as it will be no longer needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Miciah
Miciah reviewed Jan 30, 2024
View reviewed changes
Miciah
Miciah reviewed Jan 30, 2024
View reviewed changes
Miciah
Miciah reviewed Jan 30, 2024
View reviewed changes
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 30, 2024
@gcs278 gcs278 changed the base branch from master to release-4.15 January 30, 2024 21:45
@openshift-ci-robot openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 30, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 30, 2024

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is invalid:

  • expected the bug to target either version "4.15." or "openshift-4.15.", but it targets "4.16.0" instead
  • expected Jira Issue OCPBUGS-26498 to depend on a bug targeting a version in 4.16.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False. Also remove the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the Deprecated condition in the routes. The Deprecated will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a Deprecated condition is found. This logic assumes any Deprecated route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so will need to be backported to 4.15 to be useful. It can later be removed in 4.16+ as it will be no longer needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@gcs278 gcs278 changed the title [WIP] OCPBUGS-26498: Prevent upgrades for SHA1 default cert and SHA1 route certs [WIP] OCPBUGS-TBD: Prevent upgrades for SHA1 default cert and SHA1 route certs Jan 30, 2024
@gcs278
Add SignatureAlgorithm argument to generateCertificate
3797141 
Add a SignatureAlgorithm argument the generateCertificate E2E
helper function so that we can support generating certificates
with incompatible SHA-1 algorithms in future E2E tests.
Miciah
Miciah reviewed Jun 11, 2024
View reviewed changes
@gcs278
Add route upgradeable control loop for SHA-1 certs
6778ce1 
The route upgradeable control loop determines upgradeablity by searching
for the UnservableInFutureVersions condition in the routes. It creates an
admin-gate if the condition is found. This implemenentation targets 4.15
upgrades to 4.16 specifically and assumes any UnservableInFutureVersions
route status is an upgrade blocker.

Add E2E test to validate the functionality of the admin-gate as well as
validating that the router adds the UnservableInFutureVersions condition
for routes with SHA-1 certificates.
@Miciah
Copy link
Contributor

Miciah commented Jun 11, 2024

Thanks for the quick updates!
/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 11, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 11, 2024
@Miciah
Copy link
Contributor

Miciah commented Jun 11, 2024

This is fairly low risk. The changes are scoped to a small refactoring in the route-metrics controller, a new route-upgradeable controller, and a new upgradeability check, all of which have good test coverage.

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jun 11, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 11, 2024

/retest-required

Remaining retests: 0 against base HEAD 37f7c42 and 2 for PR HEAD 6778ce1 in total

@wking
Copy link
Member

wking commented Jun 11, 2024

Flake?

=== NAME  TestAll/parallel/TestIngressControllerRouteSelectorUpdateShouldClearRouteStatus
    panic.go:522: deleted ingresscontroller ic-route-selector-test

/test e2e-azure-operator

@openshift-ci-robot openshift-ci-robot mentioned this pull request Jun 12, 2024
Merged
@gcs278
Copy link
Contributor Author

gcs278 commented Jun 12, 2024

@wking Yea it's caused by quite a simple problem and not related to this PR:

    router_status_test.go:134: failed to update ingresscontroller: Operation cannot be fulfilled on ingresscontrollers.operator.openshift.io "ic-route-selector-test": the object has been modified; please apply your changes to the latest version and try again

I'll make a bug eventually so NE can track this flake.

@ShudiLi
Copy link
Member

ShudiLi commented Jun 12, 2024

/label qe-approved
tested it with 4.15.0-0.ci.test-2024-06-12-014748-ci-ln-hmf17h2-latest(the upgrade test will be done after the PRs are merged)

1.
% oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.15.0-0.ci.test-2024-06-12-014748-ci-ln-hmf17h2-latest   True        False         18m     Cluster version is 4.15.0-0.ci.test-2024-06-12-014748-ci-ln-hmf17h2-latest

2.
% oc -n openshift-ingress-operator -c ingress-operator rsync ingress-operator-c89797b65-7kqqc:/usr/bin/ingress-operator .
receiving file list ... done
ingress-operator

sent 38 bytes  received 95493821 bytes  7639508.72 bytes/sec
total size is 95470416  speedup is 1.00

3.
% go version -m ingress-operator | grep github.com/openshift/api 
	dep	github.com/openshift/api	v3.9.1-0.20190924102528-32369d4db2ad+incompatible
	=>	github.com/openshift/api	v0.0.0-20240522145529-93d6bda14341

@ShudiLi
Copy link
Member

ShudiLi commented Jun 12, 2024

/test e2e-gcp-operator

@ShudiLi
Copy link
Member

ShudiLi commented Jun 12, 2024

/label cherry-pick-approved

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 12, 2024

@gcs278: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit a0ac804 into openshift:release-4.15 Jun 12, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 12, 2024

@gcs278: Jira Issue OCPBUGS-28928: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-28928 has been moved to the MODIFIED state.

Details

In response to this:

Note: This is NOT a backport or cherry-pick of any commits, but instead a discrete PR targeting 4.15.

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the UnservableInFutureVersions condition in the routes. The UnservableInFutureVersions will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a UnservableInFutureVersions condition is found. This logic assumes any UnservableInFutureVersions route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so it is only targeting the release-4.15 branch and we will be merged in the backport of https://issues.redhat.com/browse/OCPBUGS-26498. The code should not be merged into 4.16.

This PR leveraged logic from openshift/vmware-vsphere-csi-driver-operator#171.

This PR depends on openshift/router#585 for E2E test to succeed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-bot
Copy link
Contributor

openshift-bot commented Jun 12, 2024

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-cluster-ingress-operator-container-v4.15.0-202406120537.p0.ga0ac804.assembly.stream.el9 for distgit ose-cluster-ingress-operator.
All builds following this will include this PR.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Jun 13, 2024

Fix included in accepted release 4.15.0-0.nightly-2024-06-12-223752

@gcs278 gcs278 mentioned this pull request Jul 16, 2024
Merged
@gcs278 gcs278 mentioned this pull request Jul 26, 2024
Merged
@Miciah Miciah mentioned this pull request Jan 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Miciah Miciah Miciah left review comments

@frobware frobware frobware requested changes

@candita candita Awaiting requested review from candita

@rfredette rfredette Awaiting requested review from rfredette

@ShudiLi ShudiLi Awaiting requested review from ShudiLi

+1 more reviewer

@wking wking wking left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@frobware frobware

@Miciah Miciah

@lihongan lihongan

@melvinjoseph86 melvinjoseph86

@ShudiLi ShudiLi

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.