Bug 1304635

Summary: [platformmanagement_public_544]Could not create reencrypt successfully via oc create route reencrypt
Product: OKD Reporter: Wei Sun <wsun>
Component: ocAssignee: Michail Kargakis <mkargaki>
Status: CLOSED CURRENTRELEASE QA Contact: Wei Sun <wsun>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, mmccomas, xxia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-12 17:11:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wei Sun 2016-02-04 09:08:32 UTC
Description of problem:
Create a reencrypt route usig `oc create route reencrypt ` command,if I add --dest-ca-cert ,then I will get  "Details: edge termination does not support destination certificates" .


Version-Release number of selected component (if applicable):
devenv-rhel7_3325
# oc version
oc v1.1.1-400-g76ea550
kubernetes v1.2.0-alpha.4-851-g4a65fa1

How reproducible:
Always

Steps to Reproduce:
1.Create the pod, service
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/nginx-pod.json
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/reencrypt/service_secure.json

2.Create reencrypt route
# oc create route reencrypt my-route1 --dest-ca-cert=example2.cert --service=hello-nginx --hostname=www.example2.com --key=example2.key --cert=example2.pem  
3.

Actual results:
2.# oc create route reencrypt my-route1 --dest-ca-cert=example2.cert  --service=hello-nginx --hostname=www.example2.com --key=example2.key --cert=example2.pem 
The Route "my-route1" is invalid.
tls.destinationCACertificate: invalid value '-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIBBzANBgkqhkiG9w0BAQUFADCBoTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAlNDMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0Rl
ZmF1bHQgQ29tcGFueSBMdGQxEDAOBgNVBAsMB1Rlc3QgQ0ExGjAYBgNVBAMMEXd3
dy5leGFtcGxlY2EuY29tMSIwIAYJKoZIhvcNAQkBFhNleGFtcGxlQGV4YW1wbGUu
Y29tMB4XDTE2MDExMzE5NDEwNloXDTI2MDExMDE5NDEwNlowgYAxGTAXBgNVBAMT
EHd3dy5leGFtcGxlMi5jb20xCzAJBgNVBAgTAlNDMQswCQYDVQQGEwJVUzEjMCEG
CSqGSIb3DQEJARYUZXhhbXBsZTJAZXhhbXBsZS5jb20xETAPBgNVBAoTCEV4YW1w
bGUyMREwDwYDVQQLEwhFeGFtcGxlMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAyNZ2LYb4rx9JPDSL2HV+Jn5x5dsxJXpOTsMnXCDt3thcU1XkdraJyameRGAN
eyQwMDmw9QIz7VQ8keYD8oj86pXxAlJAcAAlOJk7QVQPCI96rfCFh7mIJvSkZDp3
qLXPa+Eh6A6BdDnH+k66NaKPA2r9CmlFOjQRegX7OoCT0DMCAwEAAaMNMAswCQYD
VR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAjZyGYv/Z/L34dI/QNZnj+giEi01+
zaNxVMGvg0MR0+Y+neTtoXD422rVoIM5OmwxdwtrtUxgjrNKeSCGFytnHbn/sgob
L9pF5SbkS8nnbhahj1FEjjjIzRCng/TPp2pHlU13ccpHblffGrawyLzayBzQYFLB
SdGBb8Brj3/XvjGuwx889Pxk0du00gl94b3Q8LQ+veHpwTA5KmvT2OrKZr3zv3zY
o/WkbxE76DTRnXNHDD30BxhW5EMP9lpJKfOQjXd244S4ZxQ1sD/ecVQYt3I7TJfM
BlKIfRJfzFLrI4wD/3Xz4ZA596KAbNt6Eb3liRRM+qh5cNab88640SKFAg==
-----END CERTIFICATE-----
', Details: edge termination does not support destination certificates

Expected results:
Could create reencrypt route successfully

Additional info:
If I don't add --dest-ca-cert just use `oc create route reencrypt my-route --service=hello-nginx --hostname=www.example2.com --key=example2.key --cert=example2.pem` , then after creating the route,the route TLS is shown "edge"

Comment 1 openshift-github-bot 2016-02-04 17:51:44 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/a38817a1ebeb85f7fdf21afa33e6c4e5d60c27e4
Bug 1304635: fix termination type for oc create route reencrypt

Comment 2 Wei Sun 2016-02-05 05:11:37 UTC
The bug was fixed in devenv-rhel7_3335.After the bug is moved to ON_QA,I'll verify it.

Result:
 
# oc create route reencrypt my-route-path --dest-ca-cert=reencrypt.cert --service=hello-nginx --hostname=www.example2.com --key=reencrypt.key --cert=reencrypt.pem --path=/test
route "my-route-path" created

# oc create route reencrypt my-route-no-path --dest-ca-cert=reencrypt.cert --service=hello-nginx --hostname=www.example2.com --key=reencrypt.key --cert=reencrypt.pem 
route "my-route-no-path" created

# oc get route
NAME               HOST/PORT          PATH      SERVICE       LABELS    INSECURE POLICY   TLS TERMINATION
my-route-no-path   www.example2.com             hello-nginx                               reencrypt
my-route-path      www.example2.com   /test     hello-nginx                               reencrypt

Comment 3 Xingxing Xia 2016-02-14 03:24:00 UTC
Verified against devenv-rhel7_3421.
The test results are:
For step 2: result is as shown in comment 2.
For "Additional info": If don't add --dest-ca-cert for `oc create route reencrypt`, then the command will fail with message "tls.destinationCACertificate: Required value"

The bug is fixed, so move to VERIFIED