Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1974477: Disable insecure global id if no insecure clients #259

Merged
merged 1 commit into from Jun 22, 2021
Merged

Bug 1974477: Disable insecure global id if no insecure clients #259

merged 1 commit into from Jun 22, 2021

Conversation

travisn
Copy link

@travisn travisn commented Jun 21, 2021

Description of your changes:
In the latest Ceph releases starting with v16.2.1, all clients are recommended to be updated so they will have a security fix to connect with a secure global ID. A health warning will be raised if any insecure clients are connected and another health warning is raised if insecure clients are still allowed. Rook will now disable allowing the insecure clients if the health warning is not being raised to indicate that there are insecure clients still connected. This means that upgraded clusters will not have this disabled until all the daemons are updated.

Which issue is resolved by this Pull Request:
Resolves #https://bugzilla.redhat.com/show_bug.cgi?id=1974477

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide.
  • Skip Tests for Docs: Add the flag for skipping the build if this is only a documentation change. See here for the flag.
  • Skip Unrelated Tests: Add a flag to run tests for a specific storage provider. See test options.
  • Reviewed the developer guide on Submitting a Pull Request
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.
  • Pending release notes updated with breaking and/or notable changes, if necessary.
  • Upgrade from previous release is tested and upgrade user guide is updated, if necessary.
  • Code generation (make codegen) has been run to update object specifications, if necessary.

@travisn
ceph: disable insecure global id if no insecure clients
b2894d6 
In the latest Ceph releases starting with v16.2.1, all clients are recommended
to be updated so they will have a security fix to connect with a secure
global ID. A health warning will be raised if any insecure clients are connected
and another health warning is raised if insecure clients are still allowed.
Rook will now disable allowing the insecure clients if the health warning
is not being raised to indicate that there are insecure clients still connected.
This means that upgraded clusters will not have this disabled until all the
daemons are updated.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit b1f4411)
(cherry picked from commit 6f56a09)
@openshift-ci
Copy link

openshift-ci bot commented Jun 21, 2021

@travisn: This pull request references Bugzilla bug 1974477, which is invalid:

  • expected the bug to target the "4.7.z" release, but it targets "OCS 4.8.0" instead
  • expected dependent Bugzilla bug 1970348 to target a release in 4.8.0, but it targets "OCS 4.8.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1974477: Disable insecure global id if no insecure clients

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jun 21, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jun 21, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: travisn

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@travisn travisn added the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Jun 21, 2021
@travisn
Copy link
Author

travisn commented Jun 21, 2021

Waiting for BZ approval...

@leseb leseb marked this pull request as draft June 22, 2021 07:08
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 22, 2021
@leseb
Copy link

leseb commented Jun 22, 2021

Waiting for BZ approval...

Converted to draft based on that.

@agarwal-mudit
Copy link
Member

/bugzilla refresh

@openshift-ci
Copy link

openshift-ci bot commented Jun 22, 2021

@agarwal-mudit: This pull request references Bugzilla bug 1974477, which is invalid:

  • expected the bug to target the "4.7.z" release, but it targets "OCS 4.7.2" instead
  • expected dependent Bugzilla bug 1970348 to target a release in 4.8.0, but it targets "OCS 4.8.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@agarwal-mudit
Copy link
Member

BZ is approved now

@leseb leseb marked this pull request as ready for review June 22, 2021 07:44
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 22, 2021
@leseb
Copy link

leseb commented Jun 22, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 22, 2021
@obnoxxx
Copy link

obnoxxx commented Jun 22, 2021

@leseb - I think this needs the approved label to merge. Is anything pending?

@leseb
Copy link

leseb commented Jun 22, 2021

@leseb - I think this needs the approved label to merge. Is anything pending?

No I was just waiting for the CI :)

@leseb leseb merged commit ef211b1 into red-hat-storage:release-4.7 Jun 22, 2021
@openshift-ci
Copy link

openshift-ci bot commented Jun 22, 2021

@travisn: All pull requests linked via external trackers have merged:

Bugzilla bug 1974477 has been moved to the MODIFIED state.

In response to this:

Bug 1974477: Disable insecure global id if no insecure clients

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@obnoxxx
Copy link

obnoxxx commented Jun 22, 2021

@leseb - I think this needs the approved label to merge. Is anything pending?

No I was just waiting for the CI :)

Ah! 👍

@travisn travisn deleted the backport-4.7-insecure-globalid branch July 28, 2021 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@leseb leseb

Labels
bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. bugzilla/severity-urgent Referenced Bugzilla bug's severity is urgent for the branch this PR is targeting. do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
4 participants
@travisn @leseb @agarwal-mudit @obnoxxx