Cause: Re-encrpytion routes were not correctly supporting redirect access from http to https
Consequence: It was not possible to set a reencrypt route's insecure termination policy to redirect
Fix: Edit the haproxy template file to correctly implement redirect as a valid insecure termination policy for redirect routes
Result: reencrypt routes can be configured to redirect http to https traffic
Description of problem:
- Re-Encryption terminated route should support redirect setting for the access from http to https
Version-Release number of selected component (if applicable):
- 126.96.36.199 (routing)
1. Set reencrypt with insecureEdgeTerminationPolicy
2. Get error
"* invalid value 'Redirect', Details: InsecureEdgeTerminationPolicy is only allowed for edge-terminated routes"
- Allow to set "insecureEdgeTerminationPolicy: Redirect" for Re-encryption Termination.
- NOTE: It may be necessary to change the name of "insecureEdgeTerminationPolicy".
@kenjiro-san we could probably still get away with calling it insecureEdgeTerminationPolicy as the term is generic enough that it applies to any requests that get terminated at the edge (which both edge terminated and re-encrypt routes do) - the re-encrypt part applies to encrypting the traffic we send to the backend (pod).
I agree its a bit overloaded given our use of edge-terminated routes. But we could spin that as a re-encrypted route is really an edge-terminated route with encrypted traffic to the backends.
The insecureEdgeTerminationPolicy=allow for a re-encrypted route might sound a bit awkward though. And there is also passthrough routes to consider here.
@clayton, any preferences on terminology / thoughts? Thx
Somewhat related to this discussion is also this RFE: https://github.com/openshift/origin/issues/5946
I have started to add the possibility for other tls methodes to be able to redirect.
The pull request
Do yo think this option will be able to reach 3.2?
In case not please can you provide a workaround for the case schema redirect http -> https, thanks.
Given the need for API backcompat i'm ok with repurposing the existing field to cover all types of passthrough.
Origin PR https://github.com/openshift/origin/pull/11953
docs PR: https://github.com/openshift/openshift-docs/pull/3244
This has been merged into ocp and is in OCP v188.8.131.52 or newer.
Verified this bug on OCP v184.108.40.206
Reencrypt already support 'Redircte/Allow'
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.