Bug 1542711
| Summary: | Enable router's extended validation by default on new installs | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Miciah Dashiel Butler Masters <mmasters> |
| Component: | Installer | Assignee: | Miciah Dashiel Butler Masters <mmasters> |
| Status: | CLOSED ERRATA | QA Contact: | zhaozhanqi <zzhao> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.9.0 | CC: | aos-bugs, jokerman, mmccomas, zzhao |
| Target Milestone: | --- | ||
| Target Release: | 3.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | https://github.com/openshift/openshift-ansible/pull/8008 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature: The installer now enables the router's extended route validation by default. This validation performs additional validation and sanitization of routes' TLS configuration and certificates.
Version-Release number of selected component (if applicable): 3.11.
Additional info: Extended route validation was added to the router in 3.3 and enhanced with certificate sanitization in 3.6. However, the installer did not previously enable extended route validation.
Reason: Initially we were concerned that the validation might be too strict and reject valid routes and certificates, and so it has been disabled by default. By now, we are sufficiently confident that it is safe to enable by default on new installs.
Result: Extended route validation will be enabled by default on new clusters. It can be disabled using by setting openshift_hosted_router_extended_validation=False in the Ansible inventory. Upgrading an existing cluster will *not* enable extended route validation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-11 07:19:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Miciah Dashiel Butler Masters
2018-02-06 21:12:17 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/4168c35d8b304773a1716bd3395ee488ca2ef765 Enable extended validation of routes by default Add a new Boolean variable, openshift_hosted_router_extended_validation, default true, that determines whether to configure the router to perform extended validation on routes before admitting them. This commit fixes bug 1542711. https://bugzilla.redhat.com/show_bug.cgi?id=1542711 Should be in openshift-ansible-3.11.0-0.15.0 seems this issue has been fixed for long time. I tested using 'openshift-ansible-3.11.0-0.14.0.git.0.7bd4429None.noarch.rpm' and setup 3.11 OCP. the router default 'EXTENDED_VALIDATION' has been changed to 'true'.
- name: EXTENDED_VALIDATION
83 value: "true"
Verified this bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652 |