Bug 1989005

Description of problem:
router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com"

OpenShift release version:
4.9.0-0.nightly-2021-08-01-132055

Cluster Platform:
AWS

How reproducible:
100%

Steps to Reproduce (in detail):
1. edit ingresscontroller/defalt as below
spec:
  clientTLS:
    allowedSubjectPatterns:
    - '*.openshift.com'
    clientCA:
      name: test-client-ca
    clientCertificatePolicy: Optional

2.



Actual results:
$ oc -n openshift-ingress logs router-default-75b446bff6-bb6z6
I0802 09:19:58.529496       1 template.go:437] router "msg"="starting router"  "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: dca0c64df1dcc00042218714ed3326fea1d9221e\nversionFromGit: 4.0.0-343-gdca0c64d\ngitTreeState: clean\nbuildDate: 2021-07-30T13:54:05Z\n"
I0802 09:19:58.531999       1 metrics.go:155] metrics "msg"="router health and metrics port listening on HTTP and HTTPS"  "address"="0.0.0.0:1936"
I0802 09:19:58.547116       1 router.go:191] template "msg"="creating a new template router"  "writeDir"="/var/lib/haproxy"
I0802 09:19:58.547223       1 router.go:273] template "msg"="router will coalesce reloads within an interval of each other"  "interval"="5s"
I0802 09:19:58.547588       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/private"
I0802 09:19:58.547694       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/client-ca"
I0802 09:19:58.547776       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/client-ca-crl"
I0802 09:19:58.547836       1 router.go:262] router "msg"="router is including routes in all namespaces"  
E0802 09:19:58.672567       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
E0802 09:19:58.720471       1 limiter.go:165] error reloading router: exit status 1
[NOTICE] 213/091958 (18) : haproxy version is 2.2.15-5e8f49d
[NOTICE] 213/091958 (18) : path to executable is /usr/sbin/haproxy
[ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3).
[ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'.
[ALERT] 213/091958 (18) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
E0802 09:20:03.659815       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
E0802 09:20:03.676073       1 limiter.go:165] error reloading router: exit status 1
[NOTICE] 213/092003 (22) : haproxy version is 2.2.15-5e8f49d
[NOTICE] 213/092003 (22) : path to executable is /usr/sbin/haproxy
[ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3).
[ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'.
[ALERT] 213/092003 (22) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config



Expected results:
router pod should works well

Impact of the problem:


Additional info:



** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.