Bug 1317159 - [RFE] Re-Encryption terminated route should support redirect setting for the access from http to https
[RFE] Re-Encryption terminated route should support redirect setting for the ...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
3.1.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: jtanenba
zhaozhanqi
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-12 10:41 EST by Kenjiro Nakayama
Modified: 2017-07-24 10 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Re-encrpytion routes were not correctly supporting redirect access from http to https Consequence: It was not possible to set a reencrypt route's insecure termination policy to redirect Fix: Edit the haproxy template file to correctly implement redirect as a valid insecure termination policy for redirect routes Result: reencrypt routes can be configured to redirect http to https traffic
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-04-12 15:05:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Origin (Github) 11953 None None None 2017-01-11 08:48 EST
Github openshift/openshift-docs/pull/3244 None None None 2017-01-11 08:48 EST

  None (edit)
Description Kenjiro Nakayama 2016-03-12 10:41:52 EST
Description of problem:

- Re-Encryption terminated route should support redirect setting for the access from http to https

Version-Release number of selected component (if applicable):

- 3.1.1.6 (routing)

How reproducible:

1. Set reencrypt with insecureEdgeTerminationPolicy

~~~
  tls:
    termination: reencrypt
    insecureEdgeTerminationPolicy: Redirect
~~~

2. Get error

"* invalid value 'Redirect', Details: InsecureEdgeTerminationPolicy is only allowed for edge-terminated routes"

Expected results:

- Allow to set "insecureEdgeTerminationPolicy: Redirect" for Re-encryption Termination.
- NOTE: It may be necessary to change the name of "insecureEdgeTerminationPolicy".
Comment 1 Ram Ranganathan 2016-03-14 15:22:39 EDT
@kenjiro-san we could probably still get away with calling it insecureEdgeTerminationPolicy as the term is generic enough that it applies to any requests that get terminated at the edge (which both edge terminated and re-encrypt routes do) - the re-encrypt part applies to encrypting the traffic we send to the backend (pod). 

I agree its a bit overloaded given our use of edge-terminated routes. But we could spin that as a re-encrypted route is really an edge-terminated route with encrypted traffic to the backends.

The insecureEdgeTerminationPolicy=allow for a re-encrypted route might sound a bit awkward though. And there is also passthrough routes to consider here.

@clayton, any preferences on terminology / thoughts? Thx
Comment 2 Ram Ranganathan 2016-03-14 17:20:03 EDT
Somewhat related to this discussion is also this RFE: https://github.com/openshift/origin/issues/5946
Comment 3 Aleks Lazic 2016-03-28 09:52:16 EDT
Hi,

I have started to add the possibility for other tls methodes to be able to redirect.

The pull request

https://github.com/openshift/origin/pull/8258

Do yo think this option will be able to reach 3.2?

In case not please can you provide a workaround for the case schema redirect http -> https, thanks.

BR Aleks
Comment 4 Clayton Coleman 2016-04-17 21:10:45 EDT
Given the need for API backcompat i'm ok with repurposing the existing field to cover all types of passthrough.
Comment 9 Troy Dawson 2017-02-09 17:53:31 EST
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
Comment 11 zhaozhanqi 2017-02-09 21:56:37 EST
Verified this bug on OCP v3.5.0.18

Reencrypt already support 'Redircte/Allow'
Comment 13 errata-xmlrpc 2017-04-12 15:05:01 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884

Note You need to log in before you can comment on or make changes to this bug.