-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Propagate TLSSecurityProfile to Kubevirt #2089
Conversation
this temporanearly relies on untagged Kubevirt from main while we wait for v0.58.0, |
Pull Request Test Coverage Report for Build 3180091894
💛 - Coveralls |
c9d4660
to
aa0745e
Compare
/rebase |
aa0745e
to
a457355
Compare
/retest |
2 similar comments
/retest |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I know this is temporary, but in the meanwhile, I left two small comments. Thanks
a457355
to
2a45128
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @tiraboschi! Looks good overall. I have a doubt about how HCO handles wrong tls configurations. Thanks
} | ||
|
||
if profile.Custom != nil { | ||
profileCiphers = profile.Custom.TLSProfileSpec.Ciphers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a check that prevents to specify ciphers when using 1.3 as minTLSVersion
?
1.3 ciphers will be skipped by crypto.OpenSSLToIANACipherSuites(profileCiphers)
and this is ok;
but what happens if a user uses a wrong configuration? i.e. if I specify
minTLSVersion: VersionTLS13,
ciphers: <one compatible tls1.2 cipher>
this will result in a reject from kv webhook.
More in general, the question is: how hco handle wrong custom configurations?
Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HCO webhook is always going to try validating each change with all the components in dry-run mode, so each configuration change will be accepted only if all the components are going to accept it.
On the other side, if kv webhook will refuse the change, HCO webhook will refuse as a consequence.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clear explanation. In the light of that, it seems to me that everything is great! How about adding a test for this? WDYT? Or is it already tested in another place? Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not on this specific failure from kw webhook, but in general the mechanism is already tested in validator_test.go,
see: should return error if dry-run update of KV CR returns error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great! No other objection. Thanks
@tiraboschi Feel free to ping me for a |
Propagate TLSSecurityProfile to Kubevirt translating the configuration to its internal API. Add unit tests. Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
2a45128
to
5c8e893
Compare
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
/unhold |
hco-e2e-image-index-gcp lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
hco-e2e-kv-smoke-gcp lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-image-index-sno-azure lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
hco-e2e-upgrade-index-sno-azure lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override-bot |
hco-e2e-upgrade-index-azure lane succeeded. |
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override-bot |
/retest |
Thanks |
@tiraboschi: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tiraboschi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Propagate TLSSecurityProfile to Kubevirt
translating the configuration to its internal
API.
Add unit tests.
Reviewer Checklist
Release note: