Bug 1410333 - the route should be reachable via F5 when endpoints are node.js Express framework Apps
Summary: the route should be reachable via F5 when endpoints are node.js Express frame...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Rajat Chopra
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-05 07:40 UTC by Hongan Li
Modified: 2022-08-04 22:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-04-12 19:08:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Origin (Github) 12764 0 None None None 2017-02-06 15:19:05 UTC
Red Hat Product Errata RHBA-2017:0884 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC

Description Hongan Li 2017-01-05 07:40:51 UTC
Description of problem:
When creating F5 pools, OpenShift using "HTTP" health monitor to check pool status (see additional info). Because many Web servers will give response when they receiving HTTP request even they working on HTTPS only mode, so the HTTP monitor still works well in most scenarios. But the node.js Web App powered by Express framework will return "Empty reply from server" when it expecting HTTPS but receiving HTTP, then HTTP monitor will mark the pool as "offline" since no response from endpoints, so customer cannot access the route via F5 server eventually.
The suggestion is using "tcp" health monitor instead of "http"; or adding both "http" and "https" monitors and setting "Availability Requirement" option as "at least 1".
The workaround is just changing the monitor manually as above on F5 web console.


Version-Release number of selected component (if applicable):
openshift v3.4.0.38
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

How reproducible:
always

Steps to Reproduce:
1. oadm router f5router...
2. Create a web app pod which using Express web framework (for node.js).
#oc create -f nodejs-pod.json
{
  "kind": "Pod",
  "apiVersion":"v1",
  "metadata": {
        "name": "nodejs",
        "labels": {
                "name": "nodejs"
        }
  },
  "spec": {
      "containers": [{
        "name": "nodejs-pod",
        "image": "docker.io/lihongan/nodejs-web-app",
        "ports": [
          {
            "containerPort": 3000
          }
        ]
      }]
  }
}


3. Create service
#oc create -f service-secure.json
{
    "kind": "Service",
    "apiVersion": "v1",
    "metadata": {
        "name": "service-secure"
    },
    "spec": {
	    "ports": [
	    {
		    "name": "https",
		    "protocol": "TCP",
		    "port": 27443,
		    "targetPort": 3000
	    }
	    ],
	    "selector": {
			    "name": "nodejs"
		    }
    }
}

4. Create route
# oc create route passthrough nodejs-route --service=service-secure --hostname=test.example.com

5. Access the route via F5 server, check the pool status on F5 web console.

Actual results:
the route is not reachable via F5 server, and the status of pool "openshift_proj_service-secure" is offline.

the results of curl service in cluster as below:
[root@openshift-139 ~]# curl https://172.30.119.24:27443 -k
Hello World!
[root@openshift-139 ~]# curl http://172.30.119.24:27443
curl: (52) Empty reply from server

Expected results:
the route should be reachable via F5 when endpoints are node.js Express framework App.

Additional info:

func (f5 *f5LTM) CreatePool(poolname string) error {
	url := fmt.Sprintf("https://%s/mgmt/tm/ltm/pool", f5.host)

	// The http monitor is still used from the /Common partition.
	// From @Miciah: In the future, we should allow the administrator
	// to specify a different monitor to use.
	payload := f5Pool{
		Mode:    "round-robin",
		Monitor: "/Common/http",
		Name:    poolname,
}

Comment 1 Ben Bennett 2017-01-06 15:36:55 UTC
Jacob: Can you comment on this and describe what your termination type changes did for pass-through?  Perhaps those will address their concerns.

Comment 2 Ben Bennett 2017-01-31 15:11:37 UTC
I spoke to Jake and for passthrough we support redirect (not allow).  Rajat, what do we need to do to make the F5 support this?

Comment 4 Troy Dawson 2017-02-08 22:19:14 UTC
This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 6 Hongan Li 2017-02-09 07:14:31 UTC
verified in OCP 3.5.0.18 and the issue has been fixed.

version details:
openshift v3.5.0.18+9a5d1aa
ose-f5-router   v3.5.0.18   a77b57fd6e93

Comment 8 errata-xmlrpc 2017-04-12 19:08:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884


Note You need to log in before you can comment on or make changes to this bug.