Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1826994

Summary: e2e Coverage for oauth templates
Product: OpenShift Container Platform Reporter: Daneyon Hansen <dhansen>
Component: oauth-apiserverAssignee: Stefan Schimanski <sttts>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.5CC: amcdermo, aos-bugs, deads, mfojtik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-19 08:38:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daneyon Hansen 2020-04-23 00:44:04 UTC 
Description of problem:
BZ 1825354 surfaced because http/2 protocol negotiation was added to cluster ingress in 4.4. In general, we cannot support HTTP/2 ALPN on routes that use the default certificate without risk of connection re-use/coalescing [1] causing problems identified in the BZ. This would have been caught before [2] merged if an e2e test existed that has a client auth against console with oauth templates. This BZ is a request to add such test to avoid similar issues in the future.

Version-Release number of selected component (if applicable):
4.5

How reproducible:
always

Steps to Reproduce:
See BZ 1825354 for details

Actual results:
Console returns a 503 error page instead of the login page.

Expected results:
The console login page.

Additional info:
See [3] for the ingress controller connection logs to see the difference in behavior between successful (HTTP/1.1) and failed (HTTP/2) connections.

[1] https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
[2] https://github.com/openshift/router/pull/75/files
[3] https://gist.github.com/danehans/9bd5109d13d3c55f4c5a4ce76ecdbd6a
Comment 1 David Eads 2020-04-23 12:16:40 UTC 
Can you clarify how templates are involved?  This looks to be a case of router trying to pass http/2 traffic to a backend that does not support http/2.  The oauth-server does not server http/2 at all, so I don't understand why http/2 traffic would get routed to it.
Comment 2 Daneyon Hansen 2020-04-23 21:46:14 UTC 
From the xref's BZ:

In OpenShift 4.4, we enabled HTTP/2 on the frontend for the ingress controller; that is, we allow clients to ask the ingress controller to use HTTP/2, using ALPN.  Because the console and oauth-server are both behind the ingress controller's balancer and are using the same serving certificate (namely the ingress controller's default certificate), a browser might perform connection coalescing[1], meaning the browser re-uses the connection that it used to connect to the console route to connect to the oauth route.  Because we enabled HTTP/2 on the frontend, this means the browser may connect to the console route using HTTP/2 and then re-use the HTTP/2 connection to try to connect to the oauth route, which fails.

In general, we cannot support HTTP/2 ALPN on routes that use the default certificate without risk of connection re-use/coalescing causing problems of this nature.  To unblock this issue, we can disable HTTP/2 on the frontend.  Later on, in order to support HTTP/2, we will need a solution that enables HTTP/2 only for routes that have custom certificates (which should prevent browsers from coalescing connections).

1. https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
Comment 3 Stefan Schimanski 2020-05-19 08:38:45 UTC 
@Daneyon reading #2 in the context of David's #1, do you agree that we can close this BZ? At best, the issue you see is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1727834.

Closing. Please reopen if you disagree.

*** This bug has been marked as a duplicate of bug 1727834 ***