Bug 1865784

Summary: Termination type missing in route object for "passthrough" termination policy applied via annotation on ingress objects
Product: OpenShift Container Platform Reporter: Arvind iyengar <aiyengar>
Component: NetworkingAssignee: aaleman
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: amcdermo, aos-bugs, dhansen, hongli, mmasters
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:23:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arvind iyengar 2020-08-04 07:23:12 UTC 
Description of problem:
When setting the "passthrough" termination policy via annotation feature for the ingress object (Jira: NE-359). The ingress and the corresponding route object gets created but the "route" object does not have the "termination type" field set. This as a result cause the route to be unreachable.

Version-Release number of selected component (if applicable):
* 4.6.0-0.nightly-2020-08-03-025909

How reproducible:
* Always when creating ingress object with "passthrough" annotation. 

Steps to Reproduce:
1.Create and deploy ingress resource with "passthrough" annotation: 
----
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created
----

2. Check the output of "get" ingress and route commands:
3. Test the connection through the route. 

Actual results:
* The ingress and the corresponding route object gets created but the "termination type" is missing in the route:
----
$ oc get ingress
NAME             CLASS    HOSTS                                                                                 ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com             80      5s

$ oc get route
NAME                   HOST/PORT                                                                                        PATH   SERVICES         PORT    TERMINATION   WILDCARD
ingress-secure-ptmlq   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com ... 1 more          service-secure   https                 None    <--

$ oc get route ingress-secure-ptmlq -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
----

Expected results:
The termination type should be present in the route object for the router to identify it as passthrough. Reference to creating a default route object:
-----
$ oc create route passthrough passth --hostname=service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com --service=service-secure
route.route.openshift.io/passth created

$ oc get route
NAME     HOST/PORT                                                                                      PATH   SERVICES         PORT    TERMINATION   WILDCARD
passth   service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough   None

$ oc get route passth -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  tls:
    termination: passthrough <---
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
-----
Comment 1 Daneyon Hansen 2020-08-13 16:39:11 UTC 
openshift openshift-controller-manager pull 128 is being worked and Miciah plans to review again.
Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:11:02 UTC 
A fix for the issue is in progress; we'll continue working on it this upcoming sprint.
Comment 5 Arvind iyengar 2020-08-27 04:46:21 UTC 
The merge made into "4.6.0-0.nightly-2020-08-26-022604" release version. It is noted that with the fix in place, ingress object with passthrough annotation now works properly and the corresponding route object get created correctly with the "termination" field set:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-08-26-022604   True        False         26m     Cluster version is 4.6.0-0.nightly-2020-08-26-022604

$ cat ingress-passthrough.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created

$ oc get ingress
NAME             CLASS    HOSTS                                                                                     ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com             80      12m

$ oc get route
NAME                   HOST/PORT                                                                                            PATH   SERVICES         PORT    TERMINATION            WILDCARD
ingress-secure-przm4   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough/Redirect   None

$ curl https://service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com/ -k   
Hello-OpenShift-1 https-8443
-----
Comment 7 errata-xmlrpc 2020-10-27 16:23:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196