Bug 1935891

Summary: Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP)
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Stephen Greene <sgreene>
Networking sub component: router QA Contact: Hongan Li <hongli>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: aos-bugs, mjoseph, swasthan
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-25 01:53:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934773    
Bug Blocks:    

Description OpenShift BugZilla Robot 2021-03-05 18:09:06 UTC 
+++ This bug was initially created as a clone of Bug #1934773 +++

Description of problem:
The ingress operator's canary controller periodically probes the canary endpoint over HTTP. The canary route is an edge terminated route that redirects insecure traffic. Some customers, such as one mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1932401, expose the default ingress controller via an external load balancer that drops _all_ traffic to port 80, thus making an http -> https redirect impossible for the canary route.

The canary route should send probe requests over https only to mitigate this issue.
Comment 2 Hongan Li 2021-03-15 03:26:35 UTC 
verified with 4.7.0-0.nightly-2021-03-13-095904 and pass.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-03-13-095904   True        False         14m     Cluster version is 4.7.0-0.nightly-2021-03-13-095904

can find operator logs as below:
Get \"https://canary-openshift-ingress-canary.apps.hongli-bv.qe.devcluster.openshift.com\"
Comment 5 Stephen Greene 2021-03-24 13:33:28 UTC 
*** Bug 1942121 has been marked as a duplicate of this bug. ***
Comment 6 errata-xmlrpc 2021-03-25 01:53:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.3 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:0821