Propagate TLSSecurityProfile to Kubevirt #2089
Conversation
kubevirt-bot
added
release-note
|
this temporanearly relies on untagged Kubevirt from main while we wait for v0.58.0, |
kubevirt-bot
added
the
do-not-merge/hold
Pull Request Test Coverage Report for Build 3180091894
💛 - Coveralls |
tiraboschi
force-pushed
the
virt_crypto_policy
branch
2 times, most recently
from
c9d4660
to
aa0745e
Compare
|
/rebase |
hco-bot
force-pushed
the
virt_crypto_policy
branch
from
aa0745e
to
a457355
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
tiraboschi
force-pushed
the
virt_crypto_policy
branch
from
a457355
to
2a45128
Compare
There was a problem hiding this comment.
Thanks @tiraboschi! Looks good overall. I have a doubt about how HCO handles wrong tls configurations. Thanks
| } | ||
|
|
||
| if profile.Custom != nil { | ||
| profileCiphers = profile.Custom.TLSProfileSpec.Ciphers |
There was a problem hiding this comment.
Is there a check that prevents to specify ciphers when using 1.3 as minTLSVersion?
1.3 ciphers will be skipped by crypto.OpenSSLToIANACipherSuites(profileCiphers) and this is ok;
but what happens if a user uses a wrong configuration? i.e. if I specify
minTLSVersion: VersionTLS13,
ciphers: <one compatible tls1.2 cipher>
this will result in a reject from kv webhook.
More in general, the question is: how hco handle wrong custom configurations?
Thanks
There was a problem hiding this comment.
HCO webhook is always going to try validating each change with all the components in dry-run mode, so each configuration change will be accepted only if all the components are going to accept it.
On the other side, if kv webhook will refuse the change, HCO webhook will refuse as a consequence.
There was a problem hiding this comment.
Thanks for the clear explanation. In the light of that, it seems to me that everything is great! How about adding a test for this? WDYT? Or is it already tested in another place? Thanks
There was a problem hiding this comment.
Not on this specific failure from kw webhook, but in general the mechanism is already tested in validator_test.go,
see: should return error if dry-run update of KV CR returns error
There was a problem hiding this comment.
Sounds great! No other objection. Thanks
|
@tiraboschi Feel free to ping me for a |
kubevirt-bot
added
the
needs-rebase
Propagate TLSSecurityProfile to Kubevirt translating the configuration to its internal API. Add unit tests. Signed-off-by: Simone Tiraboschi <stirabos@redhat.com>
tiraboschi
force-pushed
the
virt_crypto_policy
branch
from
2a45128
to
5c8e893
Compare
kubevirt-bot
added
size/L
and removed
needs-rebase
|
Kudos, SonarCloud Quality Gate passed!
|
|
/unhold |
kubevirt-bot
removed
the
do-not-merge/hold
|
hco-e2e-image-index-gcp lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest |
|
hco-e2e-kv-smoke-gcp lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-kv-smoke-azure In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
hco-e2e-image-index-sno-azure lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
hco-e2e-upgrade-index-sno-azure lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override-bot |
|
hco-e2e-upgrade-index-azure lane succeeded. |
|
@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-aws In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/override-bot |
|
/retest |
|
Thanks |
|
@tiraboschi: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tiraboschi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
Propagate TLSSecurityProfile to Kubevirt
translating the configuration to its internal
API.
Add unit tests.
Reviewer Checklist
Release note: