Description of problem: When creating F5 pools, OpenShift using "HTTP" health monitor to check pool status (see additional info). Because many Web servers will give response when they receiving HTTP request even they working on HTTPS only mode, so the HTTP monitor still works well in most scenarios. But the node.js Web App powered by Express framework will return "Empty reply from server" when it expecting HTTPS but receiving HTTP, then HTTP monitor will mark the pool as "offline" since no response from endpoints, so customer cannot access the route via F5 server eventually. The suggestion is using "tcp" health monitor instead of "http"; or adding both "http" and "https" monitors and setting "Availability Requirement" option as "at least 1". The workaround is just changing the monitor manually as above on F5 web console. Version-Release number of selected component (if applicable): openshift v3.4.0.38 kubernetes v1.4.0+776c994 etcd 3.1.0-rc.0 How reproducible: always Steps to Reproduce: 1. oadm router f5router... 2. Create a web app pod which using Express web framework (for node.js). #oc create -f nodejs-pod.json { "kind": "Pod", "apiVersion":"v1", "metadata": { "name": "nodejs", "labels": { "name": "nodejs" } }, "spec": { "containers": [{ "name": "nodejs-pod", "image": "docker.io/lihongan/nodejs-web-app", "ports": [ { "containerPort": 3000 } ] }] } } 3. Create service #oc create -f service-secure.json { "kind": "Service", "apiVersion": "v1", "metadata": { "name": "service-secure" }, "spec": { "ports": [ { "name": "https", "protocol": "TCP", "port": 27443, "targetPort": 3000 } ], "selector": { "name": "nodejs" } } } 4. Create route # oc create route passthrough nodejs-route --service=service-secure --hostname=test.example.com 5. Access the route via F5 server, check the pool status on F5 web console. Actual results: the route is not reachable via F5 server, and the status of pool "openshift_proj_service-secure" is offline. the results of curl service in cluster as below: [root@openshift-139 ~]# curl https://172.30.119.24:27443 -k Hello World! [root@openshift-139 ~]# curl http://172.30.119.24:27443 curl: (52) Empty reply from server Expected results: the route should be reachable via F5 when endpoints are node.js Express framework App. Additional info: func (f5 *f5LTM) CreatePool(poolname string) error { url := fmt.Sprintf("https://%s/mgmt/tm/ltm/pool", f5.host) // The http monitor is still used from the /Common partition. // From @Miciah: In the future, we should allow the administrator // to specify a different monitor to use. payload := f5Pool{ Mode: "round-robin", Monitor: "/Common/http", Name: poolname, }
Jacob: Can you comment on this and describe what your termination type changes did for pass-through? Perhaps those will address their concerns.
I spoke to Jake and for passthrough we support redirect (not allow). Rajat, what do we need to do to make the F5 support this?
This has been merged into ocp and is in OCP v3.5.0.18 or newer.
verified in OCP 3.5.0.18 and the issue has been fixed. version details: openshift v3.5.0.18+9a5d1aa ose-f5-router v3.5.0.18 a77b57fd6e93
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884