1410333 – the route should be reachable via F5 when endpoints are node.js Express framework Apps

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1410333 - the route should be reachable via F5 when endpoints are node.js Express framework Apps

Summary: the route should be reachable via F5 when endpoints are node.js Express frame...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Routing
Sub Component:
Version:	3.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Rajat Chopra
QA Contact:	zhaozhanqi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-05 07:40 UTC by Hongan Li
Modified:	2020-04-15 15:03 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-04-12 19:08:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Origin (Github)	12764	0	None	None	None	2017-02-06 15:19:05 UTC
Red Hat Product Errata	RHBA-2017:0884	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.5 RPM Release Advisory	2017-04-12 22:50:07 UTC

Description Hongan Li 2017-01-05 07:40:51 UTC

Description of problem:
When creating F5 pools, OpenShift using "HTTP" health monitor to check pool status (see additional info). Because many Web servers will give response when they receiving HTTP request even they working on HTTPS only mode, so the HTTP monitor still works well in most scenarios. But the node.js Web App powered by Express framework will return "Empty reply from server" when it expecting HTTPS but receiving HTTP, then HTTP monitor will mark the pool as "offline" since no response from endpoints, so customer cannot access the route via F5 server eventually.
The suggestion is using "tcp" health monitor instead of "http"; or adding both "http" and "https" monitors and setting "Availability Requirement" option as "at least 1".
The workaround is just changing the monitor manually as above on F5 web console.


Version-Release number of selected component (if applicable):
openshift v3.4.0.38
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

How reproducible:
always

Steps to Reproduce:
1. oadm router f5router...
2. Create a web app pod which using Express web framework (for node.js).
#oc create -f nodejs-pod.json
{
  "kind": "Pod",
  "apiVersion":"v1",
  "metadata": {
        "name": "nodejs",
        "labels": {
                "name": "nodejs"
        }
  },
  "spec": {
      "containers": [{
        "name": "nodejs-pod",
        "image": "docker.io/lihongan/nodejs-web-app",
        "ports": [
          {
            "containerPort": 3000
          }
        ]
      }]
  }
}


3. Create service
#oc create -f service-secure.json
{
    "kind": "Service",
    "apiVersion": "v1",
    "metadata": {
        "name": "service-secure"
    },
    "spec": {
	    "ports": [
	    {
		    "name": "https",
		    "protocol": "TCP",
		    "port": 27443,
		    "targetPort": 3000
	    }
	    ],
	    "selector": {
			    "name": "nodejs"
		    }
    }
}

4. Create route
# oc create route passthrough nodejs-route --service=service-secure --hostname=test.example.com

5. Access the route via F5 server, check the pool status on F5 web console.

Actual results:
the route is not reachable via F5 server, and the status of pool "openshift_proj_service-secure" is offline.

the results of curl service in cluster as below:
[root@openshift-139 ~]# curl https://172.30.119.24:27443 -k
Hello World!
[root@openshift-139 ~]# curl http://172.30.119.24:27443
curl: (52) Empty reply from server

Expected results:
the route should be reachable via F5 when endpoints are node.js Express framework App.

Additional info:

func (f5 *f5LTM) CreatePool(poolname string) error {
	url := fmt.Sprintf("https://%s/mgmt/tm/ltm/pool", f5.host)

	// The http monitor is still used from the /Common partition.
	// From @Miciah: In the future, we should allow the administrator
	// to specify a different monitor to use.
	payload := f5Pool{
		Mode:    "round-robin",
		Monitor: "/Common/http",
		Name:    poolname,
}

Comment 1 Ben Bennett 2017-01-06 15:36:55 UTC

Jacob: Can you comment on this and describe what your termination type changes did for pass-through?  Perhaps those will address their concerns.

Comment 2 Ben Bennett 2017-01-31 15:11:37 UTC

I spoke to Jake and for passthrough we support redirect (not allow).  Rajat, what do we need to do to make the F5 support this?

Comment 4 Troy Dawson 2017-02-08 22:19:14 UTC

This has been merged into ocp and is in OCP v3.5.0.18 or newer.

Comment 6 Hongan Li 2017-02-09 07:14:31 UTC

verified in OCP 3.5.0.18 and the issue has been fixed.

version details:
openshift v3.5.0.18+9a5d1aa
ose-f5-router   v3.5.0.18   a77b57fd6e93

Comment 8 errata-xmlrpc 2017-04-12 19:08:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884

Note You need to log in before you can comment on or make changes to this bug.