Description of problem: Parameters are used to customize templates during deployment, and sometimes it's required to provide multiline values as parameters (for example certicate info in PEM format). Currently it is not possible as newlines will be removed/escape by the HTML form Version-Release number of selected component (if applicable): 3.1.1 How reproducible: Always Steps to Reproduce: 1. create a template or edit the default one 2. in the route section set edge TLS termination with parametrized certificates tls: termination: edge caCertificate: ${CACERT} certificate: ${SRVCERT} key: ${SRVKEY} 3. in the parameters section describe the new parameters - description: CA certificate name: CACERT - description: server certificate name: SRVCERT - description: private key name: SRVKEY 4. save the template, go to the web interface and add PEM certificates/keys (generate test ones on selfsignedcertificate.com for example) 5. open the console and check out the generated route Actual results: newlines are removed, certificates are garbled, HAproxy cannot parse the resulting PEM file Expected results: newlines are preserved Additional info: Route documentation confirms that certificates are stored as multiline values: https://access.redhat.com/documentation/en/openshift-enterprise/3.1/architecture/chapter-3-core-concepts#edge-termination This limitation makes it impossible to add certificates by other means than the console.
In order not to pollute #0 I moved examples into a separate comment. Here's a sample self-signed cert I generated: -----BEGIN CERTIFICATE----- MIIC+TCCAeGgAwIBAgIJAPsRUdQKoZ5/MA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV BAMMCGRlbW8ubGFuMB4XDTE2MDIyNjA5MDkyMloXDTI2MDIyMzA5MDkyMlowEzER MA8GA1UEAwwIZGVtby5sYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDPUPzbZ2oHzuPKYEyzJnMj+peUDDvVhe/2a/Lq5eYADxZ8hJxREWa5Q8tKmyqh XcPWhk0aRiKHk4EPCs5pmwBStXFZfz0MoOJy5wx96rfJetI34om6ei38wU57WsZY uLJAi7Iz4eo0oytLqWiv/epLFNabFqWBG2UpGlL58YT7JdPQbToll44p4elNR2LY StP0d8Yu/k0SnMUlaAwTTgnX3c4ExtZ0zIXPXn3A1nSiUZKqHYTfGisNy7GbHTQC XLYWghfgizL2TxIyX2UlhQkj8sDv/4pMJWxIK0Ut7OhBU7MiLbKlrNxPefQyImCz I8kG5IcJGA9eN0xiDZjBNupxAgMBAAGjUDBOMB0GA1UdDgQWBBSpOZ0SkLLJQmc/ yq3nQBH5siWoezAfBgNVHSMEGDAWgBSpOZ0SkLLJQmc/yq3nQBH5siWoezAMBgNV HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQDKehvgs7J0fHypvfXPz+5iY3bJ ZMMq5jgF+EeMoDP9vC2UKS9akcJEGMIsnkXQdob8TeTtCa7uIkVShnTNvh5Hqp+G 17K9dCInr9z6+Nax7cWiR0oH1T0G2G7WPPaPsp8utVitc4EmlPVKZoNcM3z9iyY7 ioy72viuL2VkBiWSIqwZQ+rnjTb4APGnPSe2bFsABg5fUyIrMdqSXGS3WyQq8CVQ phgOWwJTlcShygkaI52wD8Lo7puTFgPPUcdlO7o8ypODBQM81FizBvrG/B0zhYtr X+wbxXaG/BZqKfklaAiNN6669L0VxIUylOk81xdEJVYibZInXtpBZijPSdV3 -----END CERTIFICATE----- I put it as is into the web form. In the resulting route I see this: tls: caCertificate: '-----BEGIN CERTIFICATE----- MIIC+TCCAeGgAwIBAgIJAPsRUdQKoZ5/MA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV BAMMCGRlbW8ubGFuMB4XDTE2MDIyNjA5MDkyMloXDTI2MDIyMzA5MDkyMlowEzER MA8GA1UEAwwIZGVtby5sYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDPUPzbZ2oHzuPKYEyzJnMj+peUDDvVhe/2a/Lq5eYADxZ8hJxREWa5Q8tKmyqh XcPWhk0aRiKHk4EPCs5pmwBStXFZfz0MoOJy5wx96rfJetI34om6ei38wU57WsZY uLJAi7Iz4eo0oytLqWiv/epLFNabFqWBG2UpGlL58YT7JdPQbToll44p4elNR2LY StP0d8Yu/k0SnMUlaAwTTgnX3c4ExtZ0zIXPXn3A1nSiUZKqHYTfGisNy7GbHTQC XLYWghfgizL2TxIyX2UlhQkj8sDv/4pMJWxIK0Ut7OhBU7MiLbKlrNxPefQyImCz I8kG5IcJGA9eN0xiDZjBNupxAgMBAAGjUDBOMB0GA1UdDgQWBBSpOZ0SkLLJQmc/ yq3nQBH5siWoezAfBgNVHSMEGDAWgBSpOZ0SkLLJQmc/yq3nQBH5siWoezAMBgNV HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQDKehvgs7J0fHypvfXPz+5iY3bJ ZMMq5jgF+EeMoDP9vC2UKS9akcJEGMIsnkXQdob8TeTtCa7uIkVShnTNvh5Hqp+G 17K9dCInr9z6+Nax7cWiR0oH1T0G2G7WPPaPsp8utVitc4EmlPVKZoNcM3z9iyY7 ioy72viuL2VkBiWSIqwZQ+rnjTb4APGnPSe2bFsABg5fUyIrMdqSXGS3WyQq8CVQ phgOWwJTlcShygkaI52wD8Lo7puTFgPPUcdlO7o8ypODBQM81FizBvrG/B0zhYtr X+wbxXaG/BZqKfklaAiNN' Some newlines are removed and the value is truncated to 1024 bytes. I tried to replace newlines with "\n" but that is rejected by the WebUI: Cannot create route. Route "jenkins" is invalid: tls.certificate: invalid value '-----BEGIN CERTIFICATE-----\\nMIIC+TCCAeG.....', Details: double escaped new lines (\\n) are invalid. Double and triple escapes also fail. When removing all newlines this content seizes to be a PEM formatted file so it can't be used for routes. In any case it is truncated to 1024 characters which makes the certificate corrupted (the above cert is 1089 bytes long and private keys are typically even longer).
We have updated the console to allow the user to flip an input field into a multi-line editing mode (expand/collapse icons) See https://github.com/openshift/origin-web-console/pull/739 This should at least unblock people that want to use certs in parameters from the web console. In the future we hope to have special designations on parameters that say whether a parameter should be displayed as a multiline input so the user won't have to do this manually.
This has been merged into ose and is in OSE v3.4.0.17 or newer.
Checked on OCP v3.4.0.17, now when create on web console, all input boxes for the parameters can be expanded and collapsed. Try to set route cert by passing parameter, the cert can be imported correctly. The bug is fixed, so move it to Verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066
The problem ended up being reintroduced in OpenShift 4. I filed an issue on GitHub: https://github.com/openshift/console/issues/13317.
Also filed https://issues.redhat.com/browse/OCPBUGS-23080.