Bug 1317159
| Summary: | [RFE] Re-Encryption terminated route should support redirect setting for the access from http to https | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kenjiro Nakayama <knakayam> |
| Component: | RFE | Assignee: | Jacob Tanenbaum <jtanenba> |
| Status: | CLOSED ERRATA | QA Contact: | zhaozhanqi <zzhao> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.1.0 | CC: | aleksandar.lazic, aos-bugs, bbennett, bmeng, ccoleman, jkaur, jokerman, jtanenba, misalunk, mmccomas, ramr, tdawson |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Re-encrpytion routes were not correctly supporting redirect access from http to https
Consequence: It was not possible to set a reencrypt route's insecure termination policy to redirect
Fix: Edit the haproxy template file to correctly implement redirect as a valid insecure termination policy for redirect routes
Result: reencrypt routes can be configured to redirect http to https traffic
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-12 19:05:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
@kenjiro-san we could probably still get away with calling it insecureEdgeTerminationPolicy as the term is generic enough that it applies to any requests that get terminated at the edge (which both edge terminated and re-encrypt routes do) - the re-encrypt part applies to encrypting the traffic we send to the backend (pod). I agree its a bit overloaded given our use of edge-terminated routes. But we could spin that as a re-encrypted route is really an edge-terminated route with encrypted traffic to the backends. The insecureEdgeTerminationPolicy=allow for a re-encrypted route might sound a bit awkward though. And there is also passthrough routes to consider here. @clayton, any preferences on terminology / thoughts? Thx Somewhat related to this discussion is also this RFE: https://github.com/openshift/origin/issues/5946 Hi, I have started to add the possibility for other tls methodes to be able to redirect. The pull request https://github.com/openshift/origin/pull/8258 Do yo think this option will be able to reach 3.2? In case not please can you provide a workaround for the case schema redirect http -> https, thanks. BR Aleks Given the need for API backcompat i'm ok with repurposing the existing field to cover all types of passthrough. Origin PR https://github.com/openshift/origin/pull/11953 docs PR: https://github.com/openshift/openshift-docs/pull/3244 This has been merged into ocp and is in OCP v3.5.0.18 or newer. Verified this bug on OCP v3.5.0.18 Reencrypt already support 'Redircte/Allow' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884 |
Description of problem: - Re-Encryption terminated route should support redirect setting for the access from http to https Version-Release number of selected component (if applicable): - 3.1.1.6 (routing) How reproducible: 1. Set reencrypt with insecureEdgeTerminationPolicy ~~~ tls: termination: reencrypt insecureEdgeTerminationPolicy: Redirect ~~~ 2. Get error "* invalid value 'Redirect', Details: InsecureEdgeTerminationPolicy is only allowed for edge-terminated routes" Expected results: - Allow to set "insecureEdgeTerminationPolicy: Redirect" for Re-encryption Termination. - NOTE: It may be necessary to change the name of "insecureEdgeTerminationPolicy".