Bug 1461378

Summary:	[free-int]reencrypt route should be supported for free-int
Product:	OpenShift Online	Reporter:	zhaozhanqi <zzhao>
Component:	Routing	Assignee:	Miciah Dashiel Butler Masters <mmasters>
Status:	CLOSED CURRENTRELEASE	QA Contact:	zhaozhanqi <zzhao>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	3.x	CC:	abhgupta, aos-bugs, bbennett, bingli, mmasters, zhaliu
Target Milestone:	---	Keywords:	OnlineStarter, Reopened
Target Release:	3.x
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-11-09 19:00:00 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description zhaozhanqi 2017-06-14 10:42:06 UTC

Description of problem:
Reencrypt route without specified destinationCA return 503 error.

this feature should be supported after https://github.com/openshift/origin/pull/13752

Version-Release number of selected component (if applicable):
https://api.free-int.openshift.com
v3.6.106

How reproducible:
always

Steps to Reproduce:
1. Create app pod/service on free-int env
   $oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
   $https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/reencrypt/service_secure.json

2. Create reencrypt route
   $ oc create route reencrypt reen --service=service-secure 

3. Access the reencrypt route


Actual results:

step 3 return 503 error

Expected results:

step 3 the route should can be accessed and return 'hello-openshift'

Additional info:

Comment 1 Ben Bennett 2017-06-21 18:29:11 UTC


*** This bug has been marked as a duplicate of bug 1462709 ***

Comment 2 Ben Bennett 2017-06-21 18:30:33 UTC

You need https://github.com/openshift/origin/pull/13752 to make reencrypt routes work with your template.

Comment 3 zhaozhanqi 2017-06-22 01:40:07 UTC

@Ben Bennett

this bug is not duplicated with bug 1462709. as your comment 2 said. the bug need to update the haproxy template. So please Miciah help check this.

Comment 4 Ben Bennett 2017-06-22 15:42:21 UTC

@zhaozhanqi: Miciah is working on it under https://bugzilla.redhat.com/show_bug.cgi?id=1462709

Then the old routers not working with the new API is being addressed as https://bugzilla.redhat.com/show_bug.cgi?id=1461624

This is a duplicate of one or the other... so I'm closing it again :-)

*** This bug has been marked as a duplicate of bug 1461624 ***

Comment 5 zhaozhanqi 2017-06-23 01:40:17 UTC

@Ben Bennett

Maybe I did express this issue clearly..

For free-int, it did not support reencrypt route before 3.6. but a new feature was merged https://github.com/openshift/origin/pull/13752..

So the reencrypt route should be supported since user do not need to provide the destination CA.

for bug 1462709 and 1461624. they are caused by the rencrypt CA blocked the router. that's mean all routes will be failed

I also changed the title in case of you are misunderstood it.

Comment 6 Ben Bennett 2017-06-23 13:18:50 UTC

I'm confused.  Free-int runs a custom router template.  The changes introduced by https://github.com/openshift/origin/pull/13752 broke compatibility with the old router template and https://bugzilla.redhat.com/show_bug.cgi?id=1461624 will fix that.

The other way to fix that is for someone in Online to update the custom router template they use to incorporate the changes in https://github.com/openshift/origin/pull/13752, or to remove the custom template (since it now has the features Online needs) entirely.  I believe Miciah is working on that.

What other outcome do you want from this bug?  I'll assign it to Miciah in case he knows something I don't.

Comment 7 Miciah Dashiel Butler Masters 2017-06-23 15:25:24 UTC

These three Bugzilla reports deal with distinct but subtly different issues:

Bug 1461624 "[free-int] Unable to access exposed service on cluster" — this is a defect in RHOCP/Origin (a change in the router breaks backwards compatibility with custom templates).

Bug 1462709 "[free][free-int]The route is not available" — this is an operational problem (broken router was blocking testing) caused by bug 1461624, which we mitigated for now by deleting problematic reencrypt routes.

Bug 1461378 "[free-int]reencrypt route should be supported for free-int" — this is a configuration change we intend to make to allow reencrypt routes, now that we have the "routes/custom-host" resource and improved validation.

I hope that clears things up!

Comment 8 Abhishek Gupta 2017-09-08 17:33:41 UTC

Starter tier clusters now use the same default router template that ships with OCP. This issue should now be resolved.

Comment 9 zhaozhanqi 2017-09-11 06:56:03 UTC

Found free-int still using the custom template
        - name: TEMPLATE_FILE
          value: /var/lib/haproxy/conf/custom/haproxy-config.template

So please move this bug to ON_QA once it's upgrade, thanks

Comment 10 Miciah Dashiel Butler Masters 2017-09-11 16:46:02 UTC

free-int and free-stg now should have the standard router template.

Comment 11 zhaozhanqi 2017-09-12 07:12:54 UTC

Verified this bug on free-int.

Comment 12 zhaozhanqi 2017-09-12 08:04:40 UTC

free-int version (v3.7.0-0.104.0)