Bug 1410333

Summary: the route should be reachable via F5 when endpoints are node.js Express framework Apps
Product: OpenShift Container Platform Reporter: Hongan Li <hongli>
Component: NetworkingAssignee: Rajat Chopra <rchopra>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, bbennett, tdawson
Version: 3.4.0Keywords: Regression
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 19:08:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hongan Li 2017-01-05 07:40:51 UTC 
Description of problem:
When creating F5 pools, OpenShift using "HTTP" health monitor to check pool status (see additional info). Because many Web servers will give response when they receiving HTTP request even they working on HTTPS only mode, so the HTTP monitor still works well in most scenarios. But the node.js Web App powered by Express framework will return "Empty reply from server" when it expecting HTTPS but receiving HTTP, then HTTP monitor will mark the pool as "offline" since no response from endpoints, so customer cannot access the route via F5 server eventually.
The suggestion is using "tcp" health monitor instead of "http"; or adding both "http" and "https" monitors and setting "Availability Requirement" option as "at least 1".
The workaround is just changing the monitor manually as above on F5 web console.


Version-Release number of selected component (if applicable):
openshift v3.4.0.38
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

How reproducible:
always

Steps to Reproduce:
1. oadm router f5router...
2. Create a web app pod which using Express web framework (for node.js).
#oc create -f nodejs-pod.json
{
  "kind": "Pod",
  "apiVersion":"v1",
  "metadata": {
        "name": "nodejs",
        "labels": {
                "name": "nodejs"
        }
  },
  "spec": {
      "containers": [{
        "name": "nodejs-pod",
        "image": "docker.io/lihongan/nodejs-web-app",
        "ports": [
          {
            "containerPort": 3000
          }
        ]
      }]
  }
}


3. Create service
#oc create -f service-secure.json
{
    "kind": "Service",
    "apiVersion": "v1",
    "metadata": {
        "name": "service-secure"
    },
    "spec": {
	    "ports": [
	    {
		    "name": "https",
		    "protocol": "TCP",
		    "port": 27443,
		    "targetPort": 3000
	    }
	    ],
	    "selector": {
			    "name": "nodejs"
		    }
    }
}

4. Create route
# oc create route passthrough nodejs-route --service=service-secure --hostname=test.example.com

5. Access the route via F5 server, check the pool status on F5 web console.

Actual results:
the route is not reachable via F5 server, and the status of pool "openshift_proj_service-secure" is offline.

the results of curl service in cluster as below:
[root@openshift-139 ~]# curl https://172.30.119.24:27443 -k
Hello World!
[root@openshift-139 ~]# curl http://172.30.119.24:27443
curl: (52) Empty reply from server

Expected results:
the route should be reachable via F5 when endpoints are node.js Express framework App.

Additional info:

func (f5 *f5LTM) CreatePool(poolname string) error {
	url := fmt.Sprintf("https://%s/mgmt/tm/ltm/pool", f5.host)

	// The http monitor is still used from the /Common partition.
	// From @Miciah: In the future, we should allow the administrator
	// to specify a different monitor to use.
	payload := f5Pool{
		Mode:    "round-robin",
		Monitor: "/Common/http",
		Name:    poolname,
}
Comment 1 Ben Bennett 2017-01-06 15:36:55 UTC 
Jacob: Can you comment on this and describe what your termination type changes did for pass-through?  Perhaps those will address their concerns.
Comment 2 Ben Bennett 2017-01-31 15:11:37 UTC 
I spoke to Jake and for passthrough we support redirect (not allow).  Rajat, what do we need to do to make the F5 support this?
Comment 4 Troy Dawson 2017-02-08 22:19:14 UTC 
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
Comment 6 Hongan Li 2017-02-09 07:14:31 UTC 
verified in OCP 3.5.0.18 and the issue has been fixed.

version details:
openshift v3.5.0.18+9a5d1aa
ose-f5-router   v3.5.0.18   a77b57fd6e93
Comment 8 errata-xmlrpc 2017-04-12 19:08:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884