kubevirt · kubevirt-bot · Aug 26, 2024 · Aug 21, 2024
diff --git a/controllers/hyperconverged/hyperconverged_controller_test.go b/controllers/hyperconverged/hyperconverged_controller_test.go
@@ -1195,7 +1195,7 @@ var _ = Describe("HyperconvergedController", func() {
 							cdi),
 					).To(Succeed())
 
-					Expect(cdi.Spec.Config.TLSSecurityProfile).To(Equal(initialTLSSecurityProfile))
+					Expect(cdi.Spec.Config.TLSSecurityProfile).To(Equal(openshift2CdiSecProfile(initialTLSSecurityProfile)))
 
 				})
 				By("Verify that CNA was properly configured with initialTLSSecurityProfile", func() {
@@ -1267,7 +1267,7 @@ var _ = Describe("HyperconvergedController", func() {
 							cdi),
 					).To(Succeed())
 
-					Expect(cdi.Spec.Config.TLSSecurityProfile).To(Equal(customTLSSecurityProfile))
+					Expect(cdi.Spec.Config.TLSSecurityProfile).To(Equal(openshift2CdiSecProfile(customTLSSecurityProfile)))
 
 				})
 				By("Verify that CNA was properly updated with customTLSSecurityProfile", func() {
@@ -3923,3 +3923,23 @@ func searchInRelatedObjects(relatedObjects []corev1.ObjectReference, kind, name
 	}
 	return false
 }
+
+func openshift2CdiSecProfile(hcProfile *openshiftconfigv1.TLSSecurityProfile) *cdiv1beta1.TLSSecurityProfile {
+	var custom *cdiv1beta1.CustomTLSProfile
+	if hcProfile.Custom != nil {
+		custom = &cdiv1beta1.CustomTLSProfile{
+			TLSProfileSpec: cdiv1beta1.TLSProfileSpec{
+				Ciphers:       hcProfile.Custom.TLSProfileSpec.Ciphers,
+				MinTLSVersion: cdiv1beta1.TLSProtocolVersion(hcProfile.Custom.TLSProfileSpec.MinTLSVersion),
+			},
+		}
+	}
+
+	return &cdiv1beta1.TLSSecurityProfile{
+		Type:         cdiv1beta1.TLSProfileType(hcProfile.Type),
+		Old:          (*cdiv1beta1.OldTLSProfile)(hcProfile.Old),
+		Intermediate: (*cdiv1beta1.IntermediateTLSProfile)(hcProfile.Intermediate),
+		Modern:       (*cdiv1beta1.ModernTLSProfile)(hcProfile.Modern),
+		Custom:       custom,
+	}
+}
diff --git a/controllers/operands/cdi.go b/controllers/operands/cdi.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"reflect"
 
+	openshiftconfigv1 "github.com/openshift/api/config/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -104,7 +105,7 @@ func NewCDI(hc *hcov1beta1.HyperConverged, opts ...string) (*cdiv1beta1.CDI, err
 		UninstallStrategy: &uninstallStrategy,
 		Config: &cdiv1beta1.CDIConfigSpec{
 			FeatureGates:       getDefaultFeatureGates(),
-			TLSSecurityProfile: hcoutil.GetClusterInfo().GetTLSSecurityProfile(hc.Spec.TLSSecurityProfile),
+			TLSSecurityProfile: openshift2CdiSecProfile(hcoutil.GetClusterInfo().GetTLSSecurityProfile(hc.Spec.TLSSecurityProfile)),
 		},
 		CertConfig: &cdiv1beta1.CDICertConfig{
 			CA: &cdiv1beta1.CertConfig{
@@ -169,3 +170,23 @@ func NewCDIWithNameOnly(hc *hcov1beta1.HyperConverged, opts ...string) *cdiv1bet
 		},
 	}
 }
+
+func openshift2CdiSecProfile(hcProfile *openshiftconfigv1.TLSSecurityProfile) *cdiv1beta1.TLSSecurityProfile {
+	var custom *cdiv1beta1.CustomTLSProfile
+	if hcProfile.Custom != nil {
+		custom = &cdiv1beta1.CustomTLSProfile{
+			TLSProfileSpec: cdiv1beta1.TLSProfileSpec{
+				Ciphers:       hcProfile.Custom.TLSProfileSpec.Ciphers,
+				MinTLSVersion: cdiv1beta1.TLSProtocolVersion(hcProfile.Custom.TLSProfileSpec.MinTLSVersion),
+			},
+		}
+	}
+
+	return &cdiv1beta1.TLSSecurityProfile{
+		Type:         cdiv1beta1.TLSProfileType(hcProfile.Type),
+		Old:          (*cdiv1beta1.OldTLSProfile)(hcProfile.Old),
+		Intermediate: (*cdiv1beta1.IntermediateTLSProfile)(hcProfile.Intermediate),
+		Modern:       (*cdiv1beta1.ModernTLSProfile)(hcProfile.Modern),
+		Custom:       custom,
+	}
+}
diff --git a/controllers/operands/cdi_test.go b/controllers/operands/cdi_test.go
@@ -1323,7 +1323,7 @@ var _ = Describe("CDI Operand", func() {
 			It("should modify TLSSecurityProfile on CDI CR according to ApiServer or HCO CR", func() {
 				existingResource, err := NewCDI(hco)
 				Expect(err).ToNot(HaveOccurred())
-				Expect(existingResource.Spec.Config.TLSSecurityProfile).To(Equal(intermediateTLSSecurityProfile))
+				Expect(existingResource.Spec.Config.TLSSecurityProfile).To(Equal(openshift2CdiSecProfile(intermediateTLSSecurityProfile)))
 
 				// now, modify HCO's TLSSecurityProfile
 				hco.Spec.TLSSecurityProfile = modernTLSSecurityProfile
@@ -1342,7 +1342,7 @@ var _ = Describe("CDI Operand", func() {
 						foundResource),
 				).ToNot(HaveOccurred())
 
-				Expect(foundResource.Spec.Config.TLSSecurityProfile).To(Equal(modernTLSSecurityProfile))
+				Expect(foundResource.Spec.Config.TLSSecurityProfile).To(Equal(openshift2CdiSecProfile(modernTLSSecurityProfile)))
 
 				Expect(req.Conditions).To(BeEmpty())
 			})
@@ -1356,7 +1356,7 @@ var _ = Describe("CDI Operand", func() {
 				req.HCOTriggered = false
 
 				// now, modify CDI node placement
-				existingResource.Spec.Config.TLSSecurityProfile = modernTLSSecurityProfile
+				existingResource.Spec.Config.TLSSecurityProfile = openshift2CdiSecProfile(modernTLSSecurityProfile)
 
 				cl := commontestutils.InitClient([]client.Object{hco, existingResource})
 				handler := (*genericOperand)(newCdiHandler(cl, commontestutils.GetScheme()))
@@ -1373,7 +1373,7 @@ var _ = Describe("CDI Operand", func() {
 						foundResource),
 				).ToNot(HaveOccurred())
 
-				Expect(foundResource.Spec.Config.TLSSecurityProfile).To(Equal(hco.Spec.TLSSecurityProfile))
+				Expect(foundResource.Spec.Config.TLSSecurityProfile).To(Equal(openshift2CdiSecProfile(hco.Spec.TLSSecurityProfile)))
 				Expect(foundResource.Spec.Config.TLSSecurityProfile).ToNot(Equal(existingResource.Spec.Config.TLSSecurityProfile))
 
 				Expect(req.Conditions).To(BeEmpty())

diff --git a/deploy/cluster_role.yaml b/deploy/cluster_role.yaml
@@ -3100,6 +3100,7 @@ rules:
   - config.openshift.io
   resources:
   - proxies
+  - infrastructures
   verbs:
   - get
   - list
@@ -3171,6 +3172,15 @@ rules:
   - virtualmachines/finalizers
   verbs:
   - update
+- apiGroups:
+  - forklift.cdi.kubevirt.io
+  resources:
+  - ovirtvolumepopulators
+  - openstackvolumepopulators
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/deploy/crds/containerized-data-importer00.crd.yaml b/deploy/crds/containerized-data-importer00.crd.yaml
@@ -249,7 +249,7 @@ spec:
                           can be catastrophic. An example custom profile looks like
                           this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
                           - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
-                          minTLSVersion: TLSv1.1"
+                          minTLSVersion: VersionTLS11"
                         nullable: true
                         properties:
                           ciphers:
@@ -265,15 +265,18 @@ spec:
                             description: "minTLSVersion is used to specify the minimal
                               version of the TLS protocol that is negotiated during
                               the TLS handshake. For example, to use TLS versions
-                              1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n
-                              NOTE: currently the highest minTLSVersion allowed is
-                              VersionTLS12"
+                              1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: VersionTLS11
+                              \n NOTE: currently the highest minTLSVersion allowed
+                              is VersionTLS12"
                             enum:
                             - VersionTLS10
                             - VersionTLS11
                             - VersionTLS12
                             - VersionTLS13
                             type: string
+                        required:
+                        - ciphers
+                        - minTLSVersion
                         type: object
                       intermediate:
                         description: "intermediate is a TLS security profile based
@@ -284,15 +287,15 @@ spec:
                           - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
                           - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
                           - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
-                          minTLSVersion: TLSv1.2"
+                          minTLSVersion: VersionTLS12"
                         nullable: true
                         type: object
                       modern:
                         description: "modern is a TLS security profile based on: \n
                           https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
                           \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
                           - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
-                          minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
+                          minTLSVersion: VersionTLS13 \n NOTE: Currently unsupported."
                         nullable: true
                         type: object
                       old:
@@ -309,7 +312,7 @@ spec:
                           ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256
                           - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384
                           - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA
-                          - DES-CBC3-SHA minTLSVersion: TLSv1.0"
+                          - DES-CBC3-SHA minTLSVersion: VersionTLS10"
                         nullable: true
                         type: object
                       type:
@@ -2549,7 +2552,7 @@ spec:
                           can be catastrophic. An example custom profile looks like
                           this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
                           - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
-                          minTLSVersion: TLSv1.1"
+                          minTLSVersion: VersionTLS11"
                         nullable: true
                         properties:
                           ciphers:
@@ -2565,15 +2568,18 @@ spec:
                             description: "minTLSVersion is used to specify the minimal
                               version of the TLS protocol that is negotiated during
                               the TLS handshake. For example, to use TLS versions
-                              1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: TLSv1.1 \n
-                              NOTE: currently the highest minTLSVersion allowed is
-                              VersionTLS12"
+                              1.1, 1.2 and 1.3 (yaml): \n minTLSVersion: VersionTLS11
+                              \n NOTE: currently the highest minTLSVersion allowed
+                              is VersionTLS12"
                             enum:
                             - VersionTLS10
                             - VersionTLS11
                             - VersionTLS12
                             - VersionTLS13
                             type: string
+                        required:
+                        - ciphers
+                        - minTLSVersion
                         type: object
                       intermediate:
                         description: "intermediate is a TLS security profile based
@@ -2584,15 +2590,15 @@ spec:
                           - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
                           - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
                           - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
-                          minTLSVersion: TLSv1.2"
+                          minTLSVersion: VersionTLS12"
                         nullable: true
                         type: object
                       modern:
                         description: "modern is a TLS security profile based on: \n
                           https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
                           \n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
                           - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
-                          minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
+                          minTLSVersion: VersionTLS13 \n NOTE: Currently unsupported."
                         nullable: true
                         type: object
                       old:
@@ -2609,7 +2615,7 @@ spec:
                           ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256
                           - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 - AES256-GCM-SHA384
                           - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA
-                          - DES-CBC3-SHA minTLSVersion: TLSv1.0"
+                          - DES-CBC3-SHA minTLSVersion: VersionTLS10"
                         nullable: true
                         type: object
                       type:

diff --git a/deploy/images.csv b/deploy/images.csv
@@ -11,13 +11,13 @@ KUBEVIRT_EXPORSERVER_IMAGE,quay.io/kubevirt/virt-exportserver,KUBEVIRT_VERSION,a
 CNA_OPERATOR_IMAGE,quay.io/kubevirt/cluster-network-addons-operator,NETWORK_ADDONS_VERSION,3c70cb833819d8346e5531b10ac516283bab7098e782708768a6fe00ae0ddfac
 SSP_OPERATOR_IMAGE,quay.io/kubevirt/ssp-operator,SSP_VERSION,a15a53d0f3ef530fe469acf3b7673486011605d0021d4dbe29af94096b3b65ee
 SSP_VALIDATOR_IMAGE,quay.io/kubevirt/kubevirt-template-validator,SSP_VERSION,8f7c389a7cd7ef34f2edc84245bc1d0ebcf13e86da5e0b8893f56733c482b10d
-CDI_OPERATOR_IMAGE,quay.io/kubevirt/cdi-operator,CDI_VERSION,f68e4f2a082fc72d92bc1df0340285af03cd12d8c7721b38c619d1de0f4c175a
-CDI_CONTROLLER_IMAGE,quay.io/kubevirt/cdi-controller,CDI_VERSION,392ead2fdc5050c584765ebf99706cc5c0ab9c2b424b692ad35005e77d110b58
-CDI_APISERVER_IMAGE,quay.io/kubevirt/cdi-apiserver,CDI_VERSION,4ba004f57e7d589ddb5372a9729360460a97effecc6e5ecaccd7fbf16c6fcf13
-CDI_CLONER_IMAGE,quay.io/kubevirt/cdi-cloner,CDI_VERSION,05da8df0b64024f9e2a48a1a54f06c821d79a3efe7828fad2c4fda6a01d0cd86
-CDI_IMPORTER_IMAGE,quay.io/kubevirt/cdi-importer,CDI_VERSION,de5b89c879a531165482d540deffdc2dec0c188fd0f7b5fbd49c0298cf9a5b1d
-CDI_UPLOADPROXY_IMAGE,quay.io/kubevirt/cdi-uploadproxy,CDI_VERSION,86285df5cf52533732ddf4fdb74674cbce877ba69833cb8ed058c2a157cb5573
-CDI_UPLOADSERVER_IMAGE,quay.io/kubevirt/cdi-uploadserver,CDI_VERSION,d7fb653bb33dade84583fff6048092346639532d6675aaf9f88070171cb0fe7c
+CDI_OPERATOR_IMAGE,quay.io/kubevirt/cdi-operator,CDI_VERSION,327698f0fbe5a03bed387037a141328ef4453f64f51a8e37b638aca456840fb4
+CDI_CONTROLLER_IMAGE,quay.io/kubevirt/cdi-controller,CDI_VERSION,8cba9e94be556b840e66cd91e9924c597c77421d70b75459704ce933f864eb9d
+CDI_APISERVER_IMAGE,quay.io/kubevirt/cdi-apiserver,CDI_VERSION,04b538b77b7e56346e789ee9a23c2987896c44fae291bc084089e06e40ae0f78
+CDI_CLONER_IMAGE,quay.io/kubevirt/cdi-cloner,CDI_VERSION,359b413b2e1f2f737682b238d00d40854337eb9962f158cd6aa90f38c770b4e7
+CDI_IMPORTER_IMAGE,quay.io/kubevirt/cdi-importer,CDI_VERSION,f14bc1d55732303ce07593159cb1d9620aaec28ac8c16328c9d4788d384758d2
+CDI_UPLOADPROXY_IMAGE,quay.io/kubevirt/cdi-uploadproxy,CDI_VERSION,91a3d256b1c05ff3485c55d2d29a1ce871ece2aaa23637f265c9f2c4caeb4a69
+CDI_UPLOADSERVER_IMAGE,quay.io/kubevirt/cdi-uploadserver,CDI_VERSION,568c5ab4182cd3aecc259956302263f4e4e445608533e421a6f9fdee05a3ef71
 HPPO_IMAGE,quay.io/kubevirt/hostpath-provisioner-operator,HPPO_VERSION,246b3819cfa3833f9a8cb01e8cb859aa61a1924a85ea4a112e43e8414f32c429
 HPP_IMAGE,quay.io/kubevirt/hostpath-provisioner,HPP_VERSION,2b93b6c4ce0307a8f0dbdae2226da4acb1bae781788fbde7f0c32d6ad6421aa0
 HPP_CSI_IMAGE,quay.io/kubevirt/hostpath-csi-driver,HPP_VERSION,b7ccc469ad7e640fed2e98b50eae57a64e81c7b9862a799b7a9892d14ade8937