Bug 1542711 - Enable router's extended validation by default on new installs
Summary: Enable router's extended validation by default on new installs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.11.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: zhaozhanqi
URL: https://github.com/openshift/openshif...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-06 21:12 UTC by Miciah Dashiel Butler Masters
Modified: 2018-10-11 07:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: The installer now enables the router's extended route validation by default. This validation performs additional validation and sanitization of routes' TLS configuration and certificates. Version-Release number of selected component (if applicable): 3.11. Additional info: Extended route validation was added to the router in 3.3 and enhanced with certificate sanitization in 3.6. However, the installer did not previously enable extended route validation. Reason: Initially we were concerned that the validation might be too strict and reject valid routes and certificates, and so it has been disabled by default. By now, we are sufficiently confident that it is safe to enable by default on new installs. Result: Extended route validation will be enabled by default on new clusters. It can be disabled using by setting openshift_hosted_router_extended_validation=False in the Ansible inventory. Upgrading an existing cluster will *not* enable extended route validation.
Clone Of:
Environment:
Last Closed: 2018-10-11 07:19:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2652 None None None 2018-10-11 07:19:41 UTC

Description Miciah Dashiel Butler Masters 2018-02-06 21:12:17 UTC
Description of problem:

We should enable the router's extended route validation by setting the appropriate environment variable, EXTENDED_VALIDATION=true, in the router's dc on new installs.


Version-Release number of selected component (if applicable):

We should enable extended validation for 3.10.


Additional info:

Extended route validation was added to the router in 3.3[1] and enhanced with certificate sanitization in 3.6[2].  Initially we were concerned that the validation and sanitization might be too strict and reject valid routes and certificates, and so it has been disabled by default.  By now, we are sufficiently confident to enable by default on new installs.

This report concerns new installs only, not upgrades.  However, if at some point we choose to enable it on upgrades, we should run `oadm diagnostics RouteCertificateValidation`[3] in a preflight check before enabling extended validation.


1. 'Add basic validation for route TLS configuration -
   checks that input is "syntactically" valid.'
   https://github.com/openshift/origin/pull/8366

2. 'Sanitize certificates from routes in the router'
   https://github.com/openshift/origin/pull/13897

3. 'Add a diagnostic that runs extended validation on routes' 
   https://github.com/openshift/origin/pull/14819

Comment 1 Miciah Dashiel Butler Masters 2018-04-17 19:58:47 UTC
PR: https://github.com/openshift/openshift-ansible/pull/8008

Comment 2 openshift-github-bot 2018-07-11 17:31:41 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/4168c35d8b304773a1716bd3395ee488ca2ef765
Enable extended validation of routes by default

Add a new Boolean variable, openshift_hosted_router_extended_validation,
default true, that determines whether to configure the router to perform
extended validation on routes before admitting them.

This commit fixes bug 1542711.

https://bugzilla.redhat.com/show_bug.cgi?id=1542711

Comment 3 Scott Dodson 2018-08-14 21:24:39 UTC
Should be in openshift-ansible-3.11.0-0.15.0

Comment 4 zhaozhanqi 2018-08-15 07:45:43 UTC
seems this issue has been fixed for long time. I tested using 'openshift-ansible-3.11.0-0.14.0.git.0.7bd4429None.noarch.rpm' and setup 3.11 OCP. the router default 'EXTENDED_VALIDATION' has been changed to 'true'.

  - name: EXTENDED_VALIDATION
     83           value: "true"

Verified this bug.

Comment 6 errata-xmlrpc 2018-10-11 07:19:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652


Note You need to log in before you can comment on or make changes to this bug.