Description of problem: OpenShift should perform input validation and check that key and cert fields are correct when creating one secured route-> https://docs.openshift.com/container-platform/3.7/dev_guide/routes.html#creating-routes and reject route object creation if not valid. Version-Release number of selected component (if applicable): All OCP versions (3.7, 3.9) and HAproxy (1.5, 1.8) How reproducible: Always Steps to Reproduce: 1. Create one route specifying one malformed key or cert () in secured route yaml definition: tls: termination: edge key: |- -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- certificate: |- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- 2. It allows to create route object 3. It doesn't validate input fields for certs and keys despite they are not correct. Actual results: It allows to create route object Expected results: To validate input fields for certs and keys in Routes, declining to create a Route object if the input is bad (either an encrypted key or just junk text), rather than creating a badly specified route object, which a Router implementation must then check and decline to implement. Additional info:
@ramr: Is there a reason we can't make the apiserver validate the route objects? It seems like a reasonable thing to do. But we might want the apiserver to be more tolerant so that different router implementations can support different keys.
@ben: afaicr, we had to do this via an ExtendedValidation controller in the template router. When that work was done, the first/initial version of it did do those checks in the API server (I too felt catching it early is better). So ... at that point in time, there were a few concerns mostly around that we don't break backward compatibility. And as result it was done in a new extended validation controller in the template router. Also some of the validation errors are "point-in-time" related ala may happen post-creation time (ala certificate expiry and revocation lists).
@ram: Ah, right. That makes sense. Thank you.