OCPBUGS-28928: Prevent upgrades for SHA1 default cert and SHA1 route certs

[gcs278]

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the UnservableInFutureVersions condition in the routes. The UnservableInFutureVersions will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a UnservableInFutureVersions condition is found. This logic assumes any UnservableInFutureVersions route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so it is only targeting the release-4.15 branch and we will be merged in the backport of https://issues.redhat.com/browse/OCPBUGS-26498. The code should not be merged into 4.16.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is invalid:

• expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

If the default certificate is using SHA1, then set Upgradeable to be False. With OpenSSL3.0 provided by RHEL9, the router will fail to start if any cert provided is SHA1.

This commit also removes the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

pkg/operator/controller/ingress/status.go: Refactor checkDefaultCertificate to check for SHA1-based certs.
pkg/operator/controller/ingress/status_test.go: Add test coverage to Test_computeIngressUpgradeableCondition for SHA1-based certs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

In response to this:

If the default certificate is using SHA1, then set Upgradeable to be False. With OpenSSL3.0 provided by RHEL9, the router will fail to start if any cert provided is SHA1.

This commit also removes the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

pkg/operator/controller/ingress/status.go: Refactor checkDefaultCertificate to check for SHA1-based certs.
pkg/operator/controller/ingress/status_test.go: Add test coverage to Test_computeIngressUpgradeableCondition for SHA1-based certs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False. Also remove the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the Deprecated condition in the routes. The Deprecated will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a Deprecated condition is found. This logic assumes any Deprecated route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so will need to be backported to 4.15 to be useful. It can later be removed in 4.16+ as it will be no longer needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-26498, which is invalid:

• expected the bug to target either version "4.15." or "openshift-4.15.", but it targets "4.16.0" instead
• expected Jira Issue OCPBUGS-26498 to depend on a bug targeting a version in 4.16.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False. Also remove the logic for setting Upgradeable to be False if the default cert has no SAN. This logic is unnecessary as of OCP 4.10.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the Deprecated condition in the routes. The Deprecated will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a Deprecated condition is found. This logic assumes any Deprecated route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so will need to be backported to 4.15 to be useful. It can later be removed in 4.16+ as it will be no longer needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wking]

Worth a link out to https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html#ocp-4-16-networking ? And possibly extending that section to fix "HaProxy" -> "HAProxy" and link https://docs.openshift.com/container-platform/4.16/networking/routes/secured-routes.html ?

[gcs278]

Worth a link out to https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html#ocp-4-16-networking ?

Sure, added.

And possibly extending that section to fix "HaProxy" -> "HAProxy" and link https://docs.openshift.com/container-platform/4.16/networking/routes/secured-routes.html ?

Yea seems like a reasonable update, let me follow up with docs to see if they are interested.

[gcs278]

/retest-required

[ShudiLi]

/jira refresh

[openshift-ci-robot]

@ShudiLi: This pull request references Jira Issue OCPBUGS-28928, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required"
• expected dependent Jira Issue OCPBUGS-26498 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gcs278]

Removing this SAN upgrade logic seems problematic as we are backporting this in 4.15, so then 4.15 will not have this logic, but 4.16+ will have it.

I think the logic needs to be removed in the master branch instead of removed in a backport like this. The 4.16 bug https://issues.redhat.com/browse/OCPBUGS-26498 is already ON_QA and we've branched to 4.17, so it's probably too late to merge this in master and try to backport it.

I think I should just handle this later when appropriate, keep this backport as "additive" only.

[gcs278]

Updated to not remove the SAN logic.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-28928, which is invalid:

• expected dependent Jira Issue OCPBUGS-26498 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the UnservableInFutureVersions condition in the routes. The UnservableInFutureVersions will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a UnservableInFutureVersions condition is found. This logic assumes any UnservableInFutureVersions route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so it is only targeting the release-4.15 branch and we will be merged in the backport of https://issues.redhat.com/browse/OCPBUGS-26498. The code should not be merged into 4.16.

WIP because the API change (openshift/api#1722) needs to get merged and backported to 4.15.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@gcs278: This pull request references Jira Issue OCPBUGS-28928, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.15.z) matches configured target version for branch (4.15.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note text is set and does not match the template
• dependent bug Jira Issue OCPBUGS-26498 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-26498 targets the "4.16.0" version, which is one of the valid target versions: 4.16.0
• bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This PR handles SHA1 certificate upgradeable scenarios for 4.15. With OpenSSL3.0 provided by RHEL9 in 4.16, the router will fail to start if any cert provided is SHA1.

First, if the default certificate on the Ingress Controller object is using SHA1, then set Upgradeable to be False.

Secondly, add a new control loop, route deprecated, that determines upgradeablity by searching for the UnservableInFutureVersions condition in the routes. The UnservableInFutureVersions will be added to the route by openshift/router#555 when a SHA1 certificate exists on the route. It creates an admin-gate if a UnservableInFutureVersions condition is found. This logic assumes any UnservableInFutureVersions route status condition is an upgrade blocker.

This implementation targets 4.15 to 4.16 updates specifically, so it is only targeting the release-4.15 branch and we will be merged in the backport of https://issues.redhat.com/browse/OCPBUGS-26498. The code should not be merged into 4.16.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@gcs278: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn	1b2ff90	link	false	/test e2e-azure-ovn
ci/prow/e2e-aws-operator	1b2ff90	link	true	/test e2e-aws-operator
ci/prow/e2e-gcp-ovn	1b2ff90	link	false	/test e2e-gcp-ovn
ci/prow/e2e-azure-operator	1b2ff90	link	true	/test e2e-azure-operator
ci/prow/e2e-gcp-operator	1b2ff90	link	true	/test e2e-gcp-operator
ci/prow/e2e-aws-ovn-serial	1b2ff90	link	true	/test e2e-aws-ovn-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.