1. Proposed title of this feature request Routes should have the posibility to specify a field passphrase (or refer to a secret) for other router implementations that support this, for example Avi Networks. 3. What is the nature and description of the request? Currently, password protected key files are not supported. HAProxy prompts for a password upon starting and does not have a way to automate this process: https://docs.openshift.com/container-platform/3.7/dev_guide/routes.html#creating-routes Routes should have the posibility to specify a field passphrase (or refer to a secret) for other router implementations that support this, for example Avi Networks. 4. Why does the customer need this? (List the business requirements here) They are using one Avi Network downstream implementation that support this feature. While Avi Networks can re-validate Route configuration and reject bad objects, OpenShift should perform input validation and check that key and cert fields are correct, rejection object creation if not valid. 5. How would the customer like to achieve this? (List the functional requirements here) To HAProxy and hence routes to support password protected key files 6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. Checking if HAProxy support password protected key files and check that key and cert fields are correct, rejection object route creation if not valid. 10. List any affected packages or components. OCP 3.7 HA-Proxy version 1.5
haproxy doesn't support this well (or really, at all)... you'll get a prompt asking for the key passphrase on the controlling terminal. And that will be incredibly difficult to control. Also, how will they expect this to work? Where will the passphrase be stored? Alongside the key in the route? It will then be written to the storage in the pod just like the keys are, so if someone compromises the pod, they can read the key and the corresponding passphrase. If you can clarify what the attack that they are concerned about is, that might help.
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers. Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant. This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.