Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1542711 - Enable router's extended validation by default on new installs
Enable router's extended validation by default on new installs
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.9.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.11.0
Assigned To: Miciah Dashiel Butler Masters
zhaozhanqi
https://github.com/openshift/openshif...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-06 16:12 EST by Miciah Dashiel Butler Masters
Modified: 2018-10-11 03:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: The installer now enables the router's extended route validation by default. This validation performs additional validation and sanitization of routes' TLS configuration and certificates. Version-Release number of selected component (if applicable): 3.11. Additional info: Extended route validation was added to the router in 3.3 and enhanced with certificate sanitization in 3.6. However, the installer did not previously enable extended route validation. Reason: Initially we were concerned that the validation might be too strict and reject valid routes and certificates, and so it has been disabled by default. By now, we are sufficiently confident that it is safe to enable by default on new installs. Result: Extended route validation will be enabled by default on new clusters. It can be disabled using by setting openshift_hosted_router_extended_validation=False in the Ansible inventory. Upgrading an existing cluster will *not* enable extended route validation.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-10-11 03:19:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2652 None None None 2018-10-11 03:19 EDT

  None (edit)
Description Miciah Dashiel Butler Masters 2018-02-06 16:12:17 EST 
Description of problem:

We should enable the router's extended route validation by setting the appropriate environment variable, EXTENDED_VALIDATION=true, in the router's dc on new installs.


Version-Release number of selected component (if applicable):

We should enable extended validation for 3.10.


Additional info:

Extended route validation was added to the router in 3.3[1] and enhanced with certificate sanitization in 3.6[2].  Initially we were concerned that the validation and sanitization might be too strict and reject valid routes and certificates, and so it has been disabled by default.  By now, we are sufficiently confident to enable by default on new installs.

This report concerns new installs only, not upgrades.  However, if at some point we choose to enable it on upgrades, we should run `oadm diagnostics RouteCertificateValidation`[3] in a preflight check before enabling extended validation.


1. 'Add basic validation for route TLS configuration -
   checks that input is "syntactically" valid.'
   https://github.com/openshift/origin/pull/8366

2. 'Sanitize certificates from routes in the router'
   https://github.com/openshift/origin/pull/13897

3. 'Add a diagnostic that runs extended validation on routes' 
   https://github.com/openshift/origin/pull/14819
Comment 1 Miciah Dashiel Butler Masters 2018-04-17 15:58:47 EDT 
PR: https://github.com/openshift/openshift-ansible/pull/8008
Comment 2 openshift-github-bot 2018-07-11 13:31:41 EDT 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/4168c35d8b304773a1716bd3395ee488ca2ef765
Enable extended validation of routes by default

Add a new Boolean variable, openshift_hosted_router_extended_validation,
default true, that determines whether to configure the router to perform
extended validation on routes before admitting them.

This commit fixes bug 1542711.

https://bugzilla.redhat.com/show_bug.cgi?id=1542711
Comment 3 Scott Dodson 2018-08-14 17:24:39 EDT 
Should be in openshift-ansible-3.11.0-0.15.0
Comment 4 zhaozhanqi 2018-08-15 03:45:43 EDT 
seems this issue has been fixed for long time. I tested using 'openshift-ansible-3.11.0-0.14.0.git.0.7bd4429None.noarch.rpm' and setup 3.11 OCP. the router default 'EXTENDED_VALIDATION' has been changed to 'true'.

  - name: EXTENDED_VALIDATION
     83           value: "true"

Verified this bug.
Comment 6 errata-xmlrpc 2018-10-11 03:19:06 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.