Description of problem:
We should enable the router's extended route validation by setting the appropriate environment variable, EXTENDED_VALIDATION=true, in the router's dc on new installs.
Version-Release number of selected component (if applicable):
We should enable extended validation for 3.10.
Extended route validation was added to the router in 3.3 and enhanced with certificate sanitization in 3.6. Initially we were concerned that the validation and sanitization might be too strict and reject valid routes and certificates, and so it has been disabled by default. By now, we are sufficiently confident to enable by default on new installs.
This report concerns new installs only, not upgrades. However, if at some point we choose to enable it on upgrades, we should run `oadm diagnostics RouteCertificateValidation` in a preflight check before enabling extended validation.
1. 'Add basic validation for route TLS configuration -
checks that input is "syntactically" valid.'
2. 'Sanitize certificates from routes in the router'
3. 'Add a diagnostic that runs extended validation on routes'
Commit pushed to master at https://github.com/openshift/openshift-ansible
Enable extended validation of routes by default
Add a new Boolean variable, openshift_hosted_router_extended_validation,
default true, that determines whether to configure the router to perform
extended validation on routes before admitting them.
This commit fixes bug 1542711.
Should be in openshift-ansible-3.11.0-0.15.0
seems this issue has been fixed for long time. I tested using 'openshift-ansible-3.11.0-0.14.0.git.0.7bd4429None.noarch.rpm' and setup 3.11 OCP. the router default 'EXTENDED_VALIDATION' has been changed to 'true'.
- name: EXTENDED_VALIDATION
83 value: "true"
Verified this bug.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.