Bug 1827364 - Update IngressController Docs for Http/2 Coalescing Limitations
Summary: Update IngressController Docs for Http/2 Coalescing Limitations
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.6.0
Assignee: Andrew McDermott
QA Contact: Hongan Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-23 18:05 UTC by Daneyon Hansen
Modified: 2020-08-31 02:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift api pull 654 None closed Bug 1827364: routes/ingress: add documentation for HTTP2 ALPN routes 2020-09-16 18:04:06 UTC
Github openshift cluster-ingress-operator pull 442 None closed Bug 1827364: Bumps deps and ingresscontroller CRD for h2 alpn docs 2020-09-16 18:04:06 UTC

Description Daneyon Hansen 2020-04-23 18:05:53 UTC
Description of problem:
If/when HTTP/2 is re-enabled, the ingresscontroller defaultCertificate API docs should be updated to explain the coalescing limitation. See [1][2] for details.

Version-Release number of selected component (if applicable):
4.4 and greater

How reproducible:
Always

Steps to Reproduce:
1. See [1]

Actual results:
See [1]

Expected results:
See [1]

Additional info:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1825354
[2] https://medium.com/bbc-design-engineering/http-2-is-easy-just-turn-it-on-34baad2d1fb1

Comment 1 Stephen Cuppett 2020-04-23 19:38:21 UTC
Setting target release to current development version (4.5) for investigation. Where fixes (if any) are required/requested for prior versions, cloned BZs will be created when appropriate.

Comment 3 Andrew McDermott 2020-05-27 16:19:44 UTC
Moving to 4.6 as not a release blocker or an upgrade blocker.

Comment 4 Andrew McDermott 2020-06-17 10:08:23 UTC
This is a change for the API docs.

I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 5 Andrew McDermott 2020-07-09 12:06:37 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 6 Andrew McDermott 2020-07-30 10:01:53 UTC
I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 9 Hongan Li 2020-08-19 04:52:46 UTC
should update https://github.com/openshift/cluster-ingress-operator/blob/master/manifests/00-custom-resource-definition.yaml as well?

when running command "oc explain ingresscontrollers.spec.defaultCertificate" it doesn't contain the HTTP/2 coalescing limitation. see:

$ oc explain ingresscontrollers.spec.defaultCertificate
KIND:     IngressController
VERSION:  operator.openshift.io/v1

RESOURCE: defaultCertificate <Object>

DESCRIPTION:
     defaultCertificate is a reference to a secret containing the default
     certificate served by the ingress controller. When Routes don't specify
     their own certificate, defaultCertificate is used. The secret must contain
     the following keys and data:
     tls.crt: certificate file contents tls.key: key file contents If unset, a
     wildcard certificate is automatically generated and used. The certificate
     is valid for the ingress controller domain (and subdomains) and the
     generated certificate's CA will be automatically integrated with the
     cluster's trust store. The in-use certificate (whether generated or
     user-specified) will be automatically integrated with OpenShift's built-in
     OAuth server.

Comment 10 Daneyon Hansen 2020-08-21 03:26:26 UTC
@Hongan, I just pushed https://github.com/openshift/cluster-ingress-operator/pull/442 to bring the https://github.com/openshift/api/pull/654 changes into ingress operator. https://bugzilla.redhat.com/show_bug.cgi?id=1827364#c9 should pass after PR 654 merges.

Comment 11 Daneyon Hansen 2020-08-21 03:27:44 UTC
Marked UpcomingSprint since it's unlikely that https://github.com/openshift/cluster-ingress-operator/pull/442 merges by tomorrow.

Comment 14 Hongan Li 2020-08-31 02:01:59 UTC
verified with 4.6.0-0.nightly-2020-08-27-005538 and issue has been fixed.

$ oc explain ingresscontrollers.spec.defaultCertificate
KIND:     IngressController
VERSION:  operator.openshift.io/v1

RESOURCE: defaultCertificate <Object>

DESCRIPTION:
     defaultCertificate is a reference to a secret containing the default
     certificate served by the ingress controller. When Routes don't specify
     their own certificate, defaultCertificate is used. The secret must contain
     the following keys and data:
     tls.crt: certificate file contents tls.key: key file contents If unset, a
     wildcard certificate is automatically generated and used. The certificate
     is valid for the ingress controller domain (and subdomains) and the
     generated certificate's CA will be automatically integrated with the
     cluster's trust store. If a wildcard certificate is used and shared by
     multiple HTTP/2 enabled routes (which implies ALPN) then clients (i.e.,
     notably browsers) are at liberty to reuse open connections. This means a
     client can reuse a connection to another route and that is likely to fail.
     This behaviour is generally known as connection coalescing. The in-use
     certificate (whether generated or user-specified) will be automatically
     integrated with OpenShift's built-in OAuth server.


Note You need to log in before you can comment on or make changes to this bug.