Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1615802

Summary: [W21FD0v0] some reencrypt routes can trigger router reloaded even they are in blueprints
Product: OpenShift Container Platform Reporter: Hongan Li <hongli>
Component: NetworkingAssignee: Ram Ranganathan <ramr>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED CURRENTRELEASE Docs Contact:
Severity: low    
Priority: low CC: aos-bugs, hongli
Version: 3.11.0   
Target Milestone: ---   
Target Release: 3.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-21 15:23:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reen routes none

Description Hongan Li 2018-08-14 09:42:16 UTC 
Description of problem:
some reencrypt routes can trigger router reloaded even they are in blueprints, but some don't

Version-Release number of selected component (if applicable):
openshift v3.11.0-0.14.0
kubernetes v1.11.0+d4cacc0

How reproducible:
always

Steps to Reproduce:
1. create blueprints project and two reencrypt routes
$ oc new-project blueprints
$ oc create -f blueprints-reen-a.json
$ oc create -f blueprints-reen-b.json

2. enable dynamic changes and set blueprints namespaces.
$ oc set env dc/router ROUTER_HAPROXY_CONFIG_MANAGER=true ROUTER_BLUEPRINT_ROUTE_NAMESPACE=blueprints

3. create your project, pods and svc.
$ oc create -f https://raw.githubusercontent.com/ramr/nodejs-header-echo/master/openshift/dc.json
$ oc create -f https://raw.githubusercontent.com/ramr/nodejs-header-echo/master/openshift/secure-service.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/reencrypt/service_secure.json

4. create reencrypt route-a
$ oc create -f test-reen-a.json

5. create reencrypt route-b
$ oc create -f test-reen-b.json

Actual results:
there is no router reloaded in step 4 but a router reloaded in step 5.

Expected results:
should no router reload in both step 4 and 5.

Additional info:
the 4 routes json file attached, seems just the length of certificates are different between a and b.
Comment 1 Hongan Li 2018-08-14 09:45:30 UTC 
Created attachment 1475783 [details]
reen routes
Comment 2 Ram Ranganathan 2018-08-14 19:30:45 UTC 
@hongli - is this tested with the fix in: https://bugzilla.redhat.com/show_bug.cgi?id=1614727 ?

It might be hitting the same conditions. 

I will also try it out against that branch a wee bit later today. Thx
Comment 3 Ram Ranganathan 2018-08-14 22:52:05 UTC 
So I just did a dump in the config manager code of the two different routes that should have matched and the private keys are different.


The first lines are different as well - blueprint one shows up as :
MIICdw*+qDf

and the route has: 
MIICXQ*/zg5


I think the key has lot more information than needed - it is getting sanitized
and so ends up being different ... functional equivalent of this code below:


Example: 
 $ echo -e $(jq '.spec.tls.key' test-reen-b.json | sed 's/"//g' )   > /tmp/key.pem
 $ openssl rsa -in /tmp/key.pem -inform PEM   -outform PEM -out /tmp/newkey.pem
 $ diff /tmp/key.pem /tmp/newkey.pem


Try using the contents of newkey.pem aka:
   $ cat /tmp/newkey.pem   | awk -v ORS='\\n' '1'

as the key for both the blueprint route and your test route and see if that works. 

I'll look at fix for this ... caveat if possible - maybe we can do it on blueprint add time. Dropping the pri of this bug for now.
Comment 4 Ram Ranganathan 2018-08-15 01:01:18 UTC 
Okay, so I figured out a way to do this generically based on whether or not extended validation being enabled - as that is what changes the private key internally.

Fix for this issue is in PR: https://github.com/openshift/origin/pull/20646
Comment 5 Ram Ranganathan 2018-09-04 18:09:07 UTC 
@hongli ping. Any updates on the testing on this one? Thx
Comment 6 Hongan Li 2018-09-06 05:26:54 UTC 
tested in v3.11.0-0.28.0 and the issue has been fixed.

Hi Ram, please move the bug status to MODIFIED when you have the PR, so I can verify them ASAP next time. thanks.
Comment 7 Hongan Li 2018-09-07 06:00:29 UTC 
verified with atomic-openshift-3.11.0-0.28.0.git.0.30d224c.el7.x86_64 and the issue has been fixed.
Comment 8 Luke Meyer 2018-12-21 15:23:07 UTC 
Closing bugs that were verified and targeted for GA but for some reason were not picked up by errata. This bug fix should be present in current 3.11 release content.