1542711 – Enable router's extended validation by default on new installs

Bug 1542711 - Enable router's extended validation by default on new installs

Summary: Enable router's extended validation by default on new installs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.11.0
Assignee:	Miciah Dashiel Butler Masters
QA Contact:	zhaozhanqi
Docs Contact:
URL:	https://github.com/openshift/openshif...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-06 21:12 UTC by Miciah Dashiel Butler Masters
Modified:	2018-10-11 07:19 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	Feature: The installer now enables the router's extended route validation by default. This validation performs additional validation and sanitization of routes' TLS configuration and certificates. Version-Release number of selected component (if applicable): 3.11. Additional info: Extended route validation was added to the router in 3.3 and enhanced with certificate sanitization in 3.6. However, the installer did not previously enable extended route validation. Reason: Initially we were concerned that the validation might be too strict and reject valid routes and certificates, and so it has been disabled by default. By now, we are sufficiently confident that it is safe to enable by default on new installs. Result: Extended route validation will be enabled by default on new clusters. It can be disabled using by setting openshift_hosted_router_extended_validation=False in the Ansible inventory. Upgrading an existing cluster will not enable extended route validation.
Clone Of:
Environment:
Last Closed:	2018-10-11 07:19:06 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2652	0	None	None	None	2018-10-11 07:19:41 UTC

Description Miciah Dashiel Butler Masters 2018-02-06 21:12:17 UTC

Description of problem:

We should enable the router's extended route validation by setting the appropriate environment variable, EXTENDED_VALIDATION=true, in the router's dc on new installs.


Version-Release number of selected component (if applicable):

We should enable extended validation for 3.10.


Additional info:

Extended route validation was added to the router in 3.3[1] and enhanced with certificate sanitization in 3.6[2].  Initially we were concerned that the validation and sanitization might be too strict and reject valid routes and certificates, and so it has been disabled by default.  By now, we are sufficiently confident to enable by default on new installs.

This report concerns new installs only, not upgrades.  However, if at some point we choose to enable it on upgrades, we should run `oadm diagnostics RouteCertificateValidation`[3] in a preflight check before enabling extended validation.


1. 'Add basic validation for route TLS configuration -
   checks that input is "syntactically" valid.'
   https://github.com/openshift/origin/pull/8366

2. 'Sanitize certificates from routes in the router'
   https://github.com/openshift/origin/pull/13897

3. 'Add a diagnostic that runs extended validation on routes' 
   https://github.com/openshift/origin/pull/14819

Comment 1 Miciah Dashiel Butler Masters 2018-04-17 19:58:47 UTC

PR: https://github.com/openshift/openshift-ansible/pull/8008

Comment 2 openshift-github-bot 2018-07-11 17:31:41 UTC

Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/4168c35d8b304773a1716bd3395ee488ca2ef765
Enable extended validation of routes by default

Add a new Boolean variable, openshift_hosted_router_extended_validation,
default true, that determines whether to configure the router to perform
extended validation on routes before admitting them.

This commit fixes bug 1542711.

https://bugzilla.redhat.com/show_bug.cgi?id=1542711

Comment 3 Scott Dodson 2018-08-14 21:24:39 UTC

Should be in openshift-ansible-3.11.0-0.15.0

Comment 4 zhaozhanqi 2018-08-15 07:45:43 UTC

seems this issue has been fixed for long time. I tested using 'openshift-ansible-3.11.0-0.14.0.git.0.7bd4429None.noarch.rpm' and setup 3.11 OCP. the router default 'EXTENDED_VALIDATION' has been changed to 'true'.

  - name: EXTENDED_VALIDATION
     83           value: "true"

Verified this bug.

Comment 6 errata-xmlrpc 2018-10-11 07:19:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652

Note You need to log in before you can comment on or make changes to this bug.