Bug 1473152

Summary: [free-stg][free-int][starter-us-west/east] User should be able to control access whitelist for routes
Product: OpenShift Online Reporter: Meng Bo <bmeng>
Component: RoutingAssignee: Miciah Dashiel Butler Masters <mmasters>
Status: CLOSED CURRENTRELEASE QA Contact: zhaozhanqi <zzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: abhgupta, aos-bugs
Target Milestone: ---Keywords: OnlineStarter
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-09 18:46:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Meng Bo 2017-07-20 06:44:57 UTC 
Description of problem:
Related OCP feature: https://trello.com/c/TbZPhHKE/21-3-route-security-management-by-end-user-ingress

User cannot control the access for route in free online env.


Version-Release number of selected component (if applicable):
v3.6.152.0

How reproducible:
always

Steps to Reproduce:
1. Create route
2. Set the access control by the env
oc annotate route route1 --overwrite haproxy.router.openshift.io/ip_whitelist='10.66.140.100'
3. Access the route with client IP which is not in the whitelist

Actual results:
Can access the route.

Expected results:
Should not be able to access.

Additional info:
Comment 1 Ben Bennett 2017-07-20 15:54:14 UTC 
This is probably because the haproxy template is out of sync.
Comment 2 Abhishek Gupta 2017-09-08 17:26:31 UTC 
Starter tier clusters now use the same default router template that ships with OCP. This issue should now be resolved.
Comment 3 zhaozhanqi 2017-09-11 07:07:03 UTC 
Found free-int still using the custom template
        - name: TEMPLATE_FILE
          value: /var/lib/haproxy/conf/custom/haproxy-config.template

So please move this bug to ON_QA once it's upgrade, thanks
Comment 4 Meng Bo 2017-09-11 09:57:32 UTC 
Hi Abhishek,

If we use the same template with the OCP one, how do we limit the function for some of the route like before? Eg, cannot create custom domain for some kind of routes.

Thanks.
Comment 5 Miciah Dashiel Butler Masters 2017-09-11 14:01:32 UTC 
Hi Bo,

We will restrict custom domains by removing the policy rule that grants create access to the routes/custom-host resource.
Comment 7 Miciah Dashiel Butler Masters 2017-09-11 16:46:02 UTC 
free-int and free-stg now should have the standard router template.
Comment 8 zhaozhanqi 2017-09-12 08:03:53 UTC 
verified this bug on free-int (v3.7.0-0.104.0), free-stg(v3.6.173.0.5)