Bug 1934773

Summary: Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP)
Product: OpenShift Container Platform Reporter: Stephen Greene <sgreene>
Component: NetworkingAssignee: Stephen Greene <sgreene>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, mjoseph
Version: 4.7   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Ingress Operator's Canary Check Client sending canary requests over HTTP to load balancers that drop HTTP traffic. Consequence: Ingress operator becomes degraded after canary checks fail. Fix: Instead of relying on a redirect from the router, send canary check requests over HTTPS from the start. Result: Canary checks work for clusters that expose the default ingress controller via a load balancer that drops insecure HTTP traffic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:49:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1935891    

Description Stephen Greene 2021-03-03 19:56:45 UTC 
Description of problem:
The ingress operator's canary controller periodically probes the canary endpoint over HTTP. The canary route is an edge terminated route that redirects insecure traffic. Some customers, such as one mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1932401, expose the default ingress controller via an external load balancer that drops _all_ traffic to port 80, thus making an http -> https redirect impossible for the canary route.

The canary route should send probe requests over https only to mitigate this issue.
Comment 2 Hongan Li 2021-03-08 02:03:50 UTC 
verified with 4.8.0-0.nightly-2021-03-06-055252 and passed.

$ oc version
Client Version: 4.8.0-0.nightly-2021-03-04-014703
Server Version: 4.8.0-0.nightly-2021-03-06-055252
Kubernetes Version: v1.20.0+aa519d9


checked the operator pod logs and found message below:
...Get \"https://canary-openshift-ingress-canary.apps.hongli-pxy.qe.devcluster.openshift.com\":
Comment 5 errata-xmlrpc 2021-07-27 22:49:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438