Description of problem:
OpenShift should perform input validation and check that key and cert fields are correct when creating one secured route-> https://docs.openshift.com/container-platform/3.7/dev_guide/routes.html#creating-routes
and reject route object creation if not valid.
Version-Release number of selected component (if applicable):
All OCP versions (3.7, 3.9) and HAproxy (1.5, 1.8)
Steps to Reproduce:
1. Create one route specifying one malformed key or cert () in secured route yaml definition:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
2. It allows to create route object
3. It doesn't validate input fields for certs and keys despite they are not correct.
It allows to create route object
To validate input fields for certs and keys in Routes, declining to create a Route object if the input is bad (either an encrypted key or just junk text), rather than creating a badly specified route object, which a Router implementation must then check and decline to implement.
@ramr: Is there a reason we can't make the apiserver validate the route objects? It seems like a reasonable thing to do. But we might want the apiserver to be more tolerant so that different router implementations can support different keys.
@ben: afaicr, we had to do this via an ExtendedValidation controller in the template router. When that work was done, the first/initial version of it did do those checks in the API server (I too felt catching it early is better).
So ... at that point in time, there were a few concerns mostly around that we don't break backward compatibility. And as result it was done in a new extended validation controller in the template router. Also some of the validation errors are "point-in-time" related ala may happen post-creation time (ala certificate expiry and revocation lists).
@ram: Ah, right. That makes sense. Thank you.