Bug 1857023

Summary: Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aiyengar, amcdermo, aos-bugs, hongli
Version: 3.11.0   
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-23 13:52:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1857022    
Bug Blocks:    

Comment 1 Miciah Dashiel Butler Masters 2020-07-30 08:26:27 UTC 
We'll track this 4.3 backport in the upcoming sprint.
Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:06:49 UTC 
The 4.3.z backport is waiting on the 4.4.z backport (bug 1857022).  We'll continue tracking this in the upcoming sprint.
Comment 5 Arvind iyengar 2020-09-11 11:31:25 UTC 
The test was performed with "4.3.0-0.nightly-2020-09-10-171754" payload. With this release version, we see the similar to other present y-stream release the router now accepts badly formatted cert/pem file and corrects them as well without any crash or failure:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.3.0-0.nightly-2020-09-10-171754   True        False         20m     Cluster version is 4.3.0-0.nightly-2020-09-10-171754

route creation:
$ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com  --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem
route.route.openshift.io/myroute created

$ oc get route myroute -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: "2020-09-11T11:22:47Z"
  labels:
    name: service-unsecure
  name: myroute
  namespace: test-1
...
..
spec:
  host: myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com
  port:
    targetPort: http
  tls:
    certificate: |+
      -----BEGIN CERTIFICATE-----

      MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD

      VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE

      nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs=

      -----END CERTIFICATE-----

      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm

      qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn
      ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W

      IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO

      -----END RSA PRIVATE KEY-----

    termination: edge

Router logs post the route addition:

$ oc -n openshift-ingress logs router-default-6c57c77f9-wmbvs --tail 10
I0911 11:17:10.686345       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:15.647428       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:20.642233       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:25.664322       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:30.667062       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:36.720674       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:41.700545       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0911 11:22:47.568003       1 limiter.go:140] error reloading router: wait: no child processes
 - Proxy protocol on, checking http://localhost:80 ...
 - Health check ok : 0 retry attempt(s).
-----
Comment 7 errata-xmlrpc 2020-09-23 13:52:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.3.38 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3609