Description of problem: HAProxy does not consider a '401 unauthenticated' status code to be a valid code for health checks. When a scaled application requires Basic HTTP authentication, the HAProxy health checks will therefore fail and mark the server as down. This results in a 503 internal server error response from the application. Version-Release number of selected component (if applicable): 2.1.5 How reproducible: Steps to Reproduce: 1. rhc create-app basicauthtest jbosseap-6 --from-url=https://github.com/etsauer/openshift-quickstart-basic-auth.git -s 2. Navigate to app. Actual results: 503 Error page Expected results: Loging Pop-Up window referencing a 'Test Realm' Additional info: Need to add 401 to list of valid response codes in the HAProxy cartridge.
Created PR at: https://github.com/openshift/origin-server/pull/5835
Is this a duplicate of bug 1128242, or do we want to fix both problems (HTTP 401 should be recognised as a successful response in the health check, and the health check should authenticate if configured with credentials)?
A fix requiring that the user has to 'do something' in order to make this work doesn't quite fit our use case. We are deploying an OSE environment with overridden default templates for each cartridge that already contain Basic Authentication. If we require user intervention, then those applications will be created in a broken state. We would like some way of fixing this globally. Satisfactory options here would be: - Simple hard code addition to haproxy.cnf.erb, (very small change, see PR) - Some kind of global config option that would allow admins to set a list of accepted codes - Delegate a subsection of the haproxy.cnf file as a configuration file. Then admins would be able to customized behvior to include expected response, GET uri for healthchk, authentication info, etc.
Note, there is also a trello card for this: https://trello.com/c/0X9wpRLF/225-support-configurable-haproxy-url-response-code-for-status-checks
I have a feeling someone will want to both customize the health check URI and the acceptable response codes. Basically, complete customization of the health check.
Just a note: as implemented, the routing layer will never receive this information and will presumably use the cartridge-specified health check unless otherwise customized. I'm not actually sure how the routing layer even could receive this information. I guess the main use case is setting env vars via the REST API which the broker could theoretically publish, except that AFAIK we don't have an "update_endpoint" event for the routing SPI yet.
http://etherpad.corp.redhat.com/puddle-2-2-2014-10-07
Verified this bug with openshift-origin-cartridge-haproxy-1.27.2-1.git.64.ef6cd67.el6op.noarch Create app using "rhc create-app basicauthtest jbosseap-6 --from-url=https://github.com/etsauer/openshift-quickstart-basic-auth.git -s" Access the url without any auth info input, 401 code will return. And it returns "1" if access /health page.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1796.html