OCPBUGS-24226: setting TLSSecurityProfile with no minTLSVersion crashes controller

[dobsonj]

bump library-go to get the fix in commit 4a819e39ef45daa1f9a800434082f93e0b4b227a

[openshift-ci-robot]

@dobsonj: This pull request references Jira Issue OCPBUGS-24226, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (wduan@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

bump library-go to get the fix in commit 4a819e39ef45daa1f9a800434082f93e0b4b227a

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dobsonj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dobsonj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@dobsonj: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azurestack-csi	3c05824	link	false	/test e2e-azurestack-csi

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[duanwei33]

Tested with open PR, it works when setting cipherSuites without minTLSVersion

$ oc edit apiserver cluster
spec:
  audit:
    profile: Default   
  tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES128-GCM-SHA256
    type: Custom

1. TLS profile in cm/config:

$ oc -n openshift-apiserver get cm config -o jsonpath="{.data.config\.yaml}" | jq .servingInfo
{
  "bindNetwork": "tcp",
  "cipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  ]
}

2. TLS profile in clustercsidriver

$ oc get clustercsidriver -o json disk.csi.azure.com | jq .spec.observedConfig.targetcsiconfig.servingInfo
{
  "cipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  ],
  "minTLSVersion": ""
}

3. TLS profile in csi driver controller:

$ oc -n openshift-cluster-csi-drivers get deployment azure-disk-csi-driver-controller -o json | jq .spec.template.spec.containers[] | jq 'select(.name | match(".*kube-rbac-proxy.*")) | {container: .name, arg: .args}'
{
  "container": "driver-kube-rbac-proxy",
  "arg": [
    "--secure-listen-address=0.0.0.0:9201",
    "--upstream=http://127.0.0.1:8201/",
    "--tls-cert-file=/etc/tls/private/tls.crt",
    "--tls-private-key-file=/etc/tls/private/tls.key",
    "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "--tls-min-version=VersionTLS12",
    "--logtostderr=true"
  ]
}
{
  "container": "provisioner-kube-rbac-proxy",
  "arg": [
    "--secure-listen-address=0.0.0.0:9202",
    "--upstream=http://127.0.0.1:8202/",
    "--tls-cert-file=/etc/tls/private/tls.crt",
    "--tls-private-key-file=/etc/tls/private/tls.key",
    "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "--tls-min-version=VersionTLS12",
    "--logtostderr=true"
  ]
}
{
  "container": "attacher-kube-rbac-proxy",
  "arg": [
    "--secure-listen-address=0.0.0.0:9203",
    "--upstream=http://127.0.0.1:8203/",
    "--tls-cert-file=/etc/tls/private/tls.crt",
    "--tls-private-key-file=/etc/tls/private/tls.key",
    "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "--tls-min-version=VersionTLS12",
    "--logtostderr=true"
  ]
}
{
  "container": "resizer-kube-rbac-proxy",
  "arg": [
    "--secure-listen-address=0.0.0.0:9204",
    "--upstream=http://127.0.0.1:8204/",
    "--tls-cert-file=/etc/tls/private/tls.crt",
    "--tls-private-key-file=/etc/tls/private/tls.key",
    "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "--tls-min-version=VersionTLS12",
    "--logtostderr=true"
  ]
}
{
  "container": "snapshotter-kube-rbac-proxy",
  "arg": [
    "--secure-listen-address=0.0.0.0:9205",
    "--upstream=http://127.0.0.1:8205/",
    "--tls-cert-file=/etc/tls/private/tls.crt",
    "--tls-private-key-file=/etc/tls/private/tls.key",
    "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "--tls-min-version=VersionTLS12",
    "--logtostderr=true"
  ]
}

4. TLS profile is used in container:

The container driver-kube-rbac-proxy in pod azure-disk-csi-driver-controller-fc7fdcc85-lzqw2:
nobody         1       0  0 07:12 ?        00:00:00 /usr/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:9201 --upstream=http://127.0.0.1:8201/ --tls-cert-file=/etc/tls/private/tls.crt --tls-private-key-file=/etc/tls/private/tls.key --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --tls-min-version=VersionTLS12 --logtostderr=true
-------------------------------------------
The container provisioner-kube-rbac-proxy in pod azure-disk-csi-driver-controller-fc7fdcc85-lzqw2:
nobody         1       0  0 07:12 ?        00:00:00 /usr/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:9202 --upstream=http://127.0.0.1:8202/ --tls-cert-file=/etc/tls/private/tls.crt --tls-private-key-file=/etc/tls/private/tls.key --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --tls-min-version=VersionTLS12 --logtostderr=true
-------------------------------------------
The container attacher-kube-rbac-proxy in pod azure-disk-csi-driver-controller-fc7fdcc85-lzqw2:
nobody         1       0  0 07:12 ?        00:00:00 /usr/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:9203 --upstream=http://127.0.0.1:8203/ --tls-cert-file=/etc/tls/private/tls.crt --tls-private-key-file=/etc/tls/private/tls.key --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --tls-min-version=VersionTLS12 --logtostderr=true
-------------------------------------------
The container resizer-kube-rbac-proxy in pod azure-disk-csi-driver-controller-fc7fdcc85-lzqw2:
nobody         1       0  0 07:12 ?        00:00:00 /usr/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:9204 --upstream=http://127.0.0.1:8204/ --tls-cert-file=/etc/tls/private/tls.crt --tls-private-key-file=/etc/tls/private/tls.key --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --tls-min-version=VersionTLS12 --logtostderr=true
-------------------------------------------
The container snapshotter-kube-rbac-proxy in pod azure-disk-csi-driver-controller-fc7fdcc85-lzqw2:
nobody         1       0  0 07:12 ?        00:00:00 /usr/bin/kube-rbac-proxy --secure-listen-address=0.0.0.0:9205 --upstream=http://127.0.0.1:8205/ --tls-cert-file=/etc/tls/private/tls.crt --tls-private-key-file=/etc/tls/private/tls.key --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 --tls-min-version=VersionTLS12 --logtostderr=true

---

[duanwei33]

/label qe-approved

[RomanBednar]

/lgtm

[openshift-ci-robot]

@dobsonj: Jira Issue OCPBUGS-24226: Some pull requests linked via external trackers have merged:

• openshift/library-go#1636

The following pull requests linked via external trackers have not merged:

• openshift/csi-operator#76 is open

These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-24226 has not been moved to the MODIFIED state.

In response to this:

bump library-go to get the fix in commit 4a819e39ef45daa1f9a800434082f93e0b4b227a

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build ose-azure-disk-csi-driver-operator-container-v4.16.0-202312141250.p0.g0589ccf.assembly.stream for distgit ose-azure-disk-csi-driver-operator.
All builds following this will include this PR.