Bug 1608759 - [e4DnLX6y] router pod cannot be started if enable mutual-tls-auth but not specify mutual-tls-auth-ca
Summary: [e4DnLX6y] router pod cannot be started if enable mutual-tls-auth but not spe...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.0
Assignee: Ram Ranganathan
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-26 09:14 UTC by Hongan Li
Modified: 2022-08-04 22:20 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-11 07:22:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/openshift origin pull 20476 0 None None None 2018-08-01 15:11:52 UTC
Red Hat Product Errata RHBA-2018:2652 0 None None None 2018-10-11 07:22:40 UTC

Description Hongan Li 2018-07-26 09:14:42 UTC 
Description of problem:
router pod cannot be started if enable mutual-tls-auth but not specify mutual-tls-auth-ca

Version-Release number of selected component (if applicable):
openshift v3.11.0-0.9.0
kubernetes v1.11.0+d4cacc0

How reproducible:
always

Steps to Reproduce:
1. oc adm router test-router --mutual-tls-auth=required
2. 

Actual results:
error in router pod logs:
[ALERT] 206/080832 (24) : Proxy 'fe_sni': verify is enabled but no CA file specified for bind '127.0.0.1:10444' at [/var/lib/haproxy/conf/haproxy.config:116].
[ALERT] 206/080832 (24) : Proxy 'fe_sni': verify is enabled but no CA file specified for bind '127.0.0.1:10444' at [/var/lib/haproxy/conf/haproxy.config:116].
[ALERT] 206/080832 (24) : Proxy 'fe_no_sni': verify is enabled but no CA file specified for bind '127.0.0.1:10443' at [/var/lib/haproxy/conf/haproxy.config:166].
[ALERT] 206/080832 (24) : Proxy 'fe_no_sni': verify is enabled but no CA file specified for bind '127.0.0.1:10443' at [/var/lib/haproxy/conf/haproxy.config:166].
[ALERT] 206/080832 (24) : Fatal errors found in configuration.


Expected results:
router pod should be running if just enable mutual-tls-auth since "mutual-tls-auth-ca" is optional. 
see command help below:
      --mutual-tls-auth='none': Controls access to the router using mutually agreed upon TLS configuration (example
client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.
      --mutual-tls-auth-ca='': Optional path to a file containing one or more CA certificates used for mutual TLS
authentication. The CA certificate[s] are used by the router to verify a client's certificate.


Additional info:
the router pod will be running if using below command:
oc adm router test-router --mutual-tls-auth=required --mutual-tls-auth-ca=/root/ca.pem
Comment 1 Ram Ranganathan 2018-07-30 19:37:42 UTC 
@hongli good catch - this will need a default value specified. 
The directive seems to be required if verify is specified. 
The router command line option --mutual-tls-auth-ca can still be optional but we will need to change the router template to use a default if the mutual-tls-auth option is set.
Comment 2 Ram Ranganathan 2018-07-31 00:23:57 UTC 
Fixed in PR: https://github.com/openshift/origin/pull/20476
Comment 4 Hongan Li 2018-08-23 08:53:32 UTC 
verified in atomic-openshift-3.11.0-0.20.0.git.0.d80d8ad.el7 and issue has been fixed.
Comment 6 errata-xmlrpc 2018-10-11 07:22:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652
Note You need to log in before you can comment on or make changes to this bug.