Bug 1317159 - [RFE] Re-Encryption terminated route should support redirect setting for the access from http to https
Summary: [RFE] Re-Encryption terminated route should support redirect setting for the ...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Jacob Tanenbaum
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2016-03-12 15:41 UTC by Kenjiro Nakayama
Modified: 2020-05-14 15:08 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Re-encrpytion routes were not correctly supporting redirect access from http to https Consequence: It was not possible to set a reencrypt route's insecure termination policy to redirect Fix: Edit the haproxy template file to correctly implement redirect as a valid insecure termination policy for redirect routes Result: reencrypt routes can be configured to redirect http to https traffic
Clone Of:
Last Closed: 2017-04-12 19:05:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift openshift-docs pull 3244 0 None None None 2017-01-11 13:48:58 UTC
Origin (Github) 11953 0 None None None 2017-01-11 13:48:36 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Kenjiro Nakayama 2016-03-12 15:41:52 UTC
Description of problem:

- Re-Encryption terminated route should support redirect setting for the access from http to https

Version-Release number of selected component (if applicable):

- (routing)

How reproducible:

1. Set reencrypt with insecureEdgeTerminationPolicy

    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect

2. Get error

"* invalid value 'Redirect', Details: InsecureEdgeTerminationPolicy is only allowed for edge-terminated routes"

Expected results:

- Allow to set "insecureEdgeTerminationPolicy: Redirect" for Re-encryption Termination.
- NOTE: It may be necessary to change the name of "insecureEdgeTerminationPolicy".

Comment 1 Ram Ranganathan 2016-03-14 19:22:39 UTC
@kenjiro-san we could probably still get away with calling it insecureEdgeTerminationPolicy as the term is generic enough that it applies to any requests that get terminated at the edge (which both edge terminated and re-encrypt routes do) - the re-encrypt part applies to encrypting the traffic we send to the backend (pod). 

I agree its a bit overloaded given our use of edge-terminated routes. But we could spin that as a re-encrypted route is really an edge-terminated route with encrypted traffic to the backends.

The insecureEdgeTerminationPolicy=allow for a re-encrypted route might sound a bit awkward though. And there is also passthrough routes to consider here.

@clayton, any preferences on terminology / thoughts? Thx

Comment 2 Ram Ranganathan 2016-03-14 21:20:03 UTC
Somewhat related to this discussion is also this RFE: https://github.com/openshift/origin/issues/5946

Comment 3 Aleks Lazic 2016-03-28 13:52:16 UTC

I have started to add the possibility for other tls methodes to be able to redirect.

The pull request


Do yo think this option will be able to reach 3.2?

In case not please can you provide a workaround for the case schema redirect http -> https, thanks.

BR Aleks

Comment 4 Clayton Coleman 2016-04-18 01:10:45 UTC
Given the need for API backcompat i'm ok with repurposing the existing field to cover all types of passthrough.

Comment 9 Troy Dawson 2017-02-09 22:53:31 UTC
This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 11 zhaozhanqi 2017-02-10 02:56:37 UTC
Verified this bug on OCP v3.5.0.18

Reencrypt already support 'Redircte/Allow'

Comment 13 errata-xmlrpc 2017-04-12 19:05:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.