+++ This bug was initially created as a clone of Bug #1428720 +++ Description of problem: When set the 'InsecureEdgeTerminationPolicy' is 'Allow' for reencrypt route. the cookie should not mark 'secure' Version-Release number of selected component (if applicable): openshift v3.5.0.37 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: always Steps to Reproduce: 1. Create pod/service 2. Create reencrypt route with 'InsecureEdgeTerminationPolicy' is 'Allow' 3. Access the route and store the cookie #curl --resolve reen.example.com:80:10.66.140.17 http://reen.example.com -c cookie 4. Check the cookie # cat cookie Actual results: step 4: the part with * is 'TRUE' # cat cookie # Netscape HTTP Cookie File # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. #HttpOnly_reen.example.com FALSE / ***TRUE*** 0 aa8cbbcaffb926b10626caa7909176ee 4650cd02b0c49d73fbff41d387fbe618 Expected results: it should be 'False' # cat cookie # Netscape HTTP Cookie File # http://curl.haxx.se/docs/http-cookies.html # This file was generated by libcurl! Edit at your own risk. #HttpOnly_reen.example.com FALSE / ***FALSE*** 0 aa8cbbcaffb926b10626caa7909176ee 4650cd02b0c49d73fbff41d387fbe618 Additional info: there is lack judgement in reencypte part: {{ if not (matchPattern "true|TRUE" (index $cfg.Annotations "haproxy.router.openshift.io/disable_cookies")) }} cookie {{$cfg.RoutingKeyName}} insert indirect nocache httponly secure {{ end }} --- Additional comment from openshift-github-bot on 2017-03-03 14:57:53 EST --- Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/06cd1d1aae5b64a4b847aa7cbfbacf28200f563c Fix cookies for reencrypt routes with InsecureEdgeTerminationPolicy "Allow" currently secure cookies are always generated for reencrypt routes this changes that to correctly create unsecured cookies when InsecureEdgeTermination policy is "Allow" Bug 1428720
The fix was merged over from origin
https://github.com/openshift/origin/pull/12802
This has been merged into ocp and is in OCP v3.5.0.52 or newer.
Verified this bug on v3.5.0.52 the cookie will be set 'secure' if not http request for reencrypt
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884