Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1843856

Summary: Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible
Product: OpenShift Container Platform Reporter: agudi
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: aiyengar, amcdermo, aos-bugs, hongli, mmasters, rpalathi
Version: 3.11.0   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 16:04:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1857021, 1857025    

Comment 1 Miciah Dashiel Butler Masters 2020-06-18 19:46:10 UTC 
A fix has been posted and is awaiting review.  We'll get it merged in the upcoming sprint and then work on backports.
Comment 2 Andrew McDermott 2020-07-09 12:16:01 UTC 
I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.
Comment 5 Arvind iyengar 2020-07-17 06:25:34 UTC 
The PR merge has been introduced in "4.6.0-0.nightly-2020-07-16-005008". With this payload it is noted that improperly formatted PEM/CERT file containing the crt and the key in one file does not disrupt the router operation with certificate loading errors. The route gets admitted and the specific tls file gets add in the router: 
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-07-16-005008   True        False         23h     Cluster version is 4.6.0-0.nightly-2020-07-16-005008

$ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.badcerts.oc46-1607-1842742.qe.devcluster.openshift.com   --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem
route.route.openshift.io/myroute created

$ oc get route myroute -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: "2020-07-17T05:48:43Z"
  labels:
    name: service-unsecure
  tls:
    certificate: |+
      -----BEGIN CERTIFICATE-----

      MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD

      VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE

      AxMaUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EwHhcNMTkxMjE4MTMyNjAyWhcNMjMxMjE3MTMy

      NjAyWjB+MQswCQYDVQQGEwJCRTESMBAGA1UECBMJQnJ1eGVsbGVzMRIwEAYDVQQHEwlCcnV4ZWxs

      ZXMxETAPBgNVBAoTCFByb3hpbXVzMRAwDgYDVQQLEwdhcHA6Q0FTMRAwDgYDVQQLEwdlbnY6SVRU

      MRAwDgYDVQQDEwdjYXMtaXR0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zRtfzz4

      YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYmqMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23a

      bMlbIScqyrkGGUYKpk2EbJks8mknbg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eY

      D72CY9Y/W3JNXpBTCo/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzP

      Y+PKr7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvTAef2ejoi

      RDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABo4IDNDCCAzAwFwYDVR0RBBAwDoIMKi5jYXMtaXR0

      LmJjMB0GA1UdDgQWBBSKprlJES+sEaWsl9BT0o4xCMb+EzAfBgNVHSMEGDAWgBR5Emj+qCgHXLhQ

      YtQjy28phKIenDCCAR4GA1UdHwSCARUwggERMIIBDaCCAQmgggEFhkBodHRwOi8vY3JsYWlhLnBy

      b3hpbXVzLmNvbS9DUkxBSUEvUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EuY3JshoHAbGRhcDov

      Ly9DTj1Qcm94aW11c0NvcnBvcmF0ZUlzc3VpbmdDQSxDTj1BMDcyMDUsQ049Q0RQLENOPVB1Ymxp

      YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RFMtUk9P

      VCxEQz1ORVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp

      c3RyaWJ1dGlvblBvaW50MIIBHAYIKwYBBQUHAQEEggEOMIIBCjBMBggrBgEFBQcwAoZAaHR0cDov

      L2NybGFpYS5wcm94aW11cy5jb20vQ1JMQUlBL1Byb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLmNy

      dDCBuQYIKwYBBQUHMAKGgaxsZGFwOi8vL0NOPVByb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLENO

      PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0

      aW9uLERDPURTLVJPT1QsREM9TkVUP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0

      aWZpY2F0aW9uQXV0aG9yaXR5MAsGA1UdDwQEAwIFoDA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3

      FQiGmJdLhIC8aIT5hwOEpMxehq65RIEwhoThUYfBqlgCAWQCAXQwHQYDVR0lBBYwFAYIKwYBBQUH

      AwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDQYJ

      KoZIhvcNAQELBQADggEBACDJKjSjOB6GxC+qtlIVFckvhPrj3QmoH0l0YbVad4jHDvkOB3AHsfB9

      e4MPGYf8OtRVqNJgNjrbrsEacOMIBPXJ/sTDT+OxMMA+hqUCWrgR4S+Pj52hCcU9+ENP5Wt8PRv3

      kojNbKO+nC6AydKI0E1DX0ZFV3S622ZDKK7oNvMeWGQN4VE+FsCE5La/pTmeoyqk3lwo+NS50aML

      /u6vZUeHkxS3NTsBckuFBi0eAO5Ipi2LwhGAgYDtu0H6R4plTvpsvkgCuNPdTRj+8dm3M+qjTY+f

      nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs=

      -----END CERTIFICATE-----

      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm

      qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn

      bg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eYD72CY9Y/W3JNXpBT

      Co/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzPY+PK

      r7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvT

      Aef2ejoiRDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABAoIBAGNhscNVq7p+xaYo

      FZQG/jNxJAL+ujZoN6u3jLY0ksfSLf/QVmAPOx5mevklI1pfLJP82W3la5gzmLSg

      obLjM0CTyELKLKfLxDY9s0NTfvkLz8buqqfXp2fTyuk2RGepI6zNgXBfivF6enra

      HrnFvNN7JD4KThrz7JQwRxvF4CJhEO8eVs0QcgVtVMIEr8y3xy8Fw45EhVm6TYj1

      AaW0Unm/SjYntdctNHWlSN0DiSD5QnMeJAapi/+WHGPeVAJnQdCsnLG1pTYWzh1/

      sf8e6TqlLY/md1a8r0D2KzbjmRzdmlTp7rgft4MlZRRonLCuGIR1PlEgeaBGOpIS

      EcLAZkECgYEA7Q0czsilQwoF+AndYDuaT6mhQ3+dvLgSUcugfMkLlcJHrs1mKVOW

      Zy+JhRYaQgCAT+HqHtatPhBYG3MCfYf35AIDhjaHLtpuLRfaCEoUziM7CJn4GbbN

      XaE+s3HUFE0kvDmdj3IuGotXCxEW5/JQffsSs9I1pAfPxwMsD6eMIckCgYEA6GhD

      BilXsjKx2b+5kxBi3l3YpyZdO/vErIGkviuVguiv/+Lw22bZpueD52S60TDxPYTU

      TMZKMJ+V9Un7lAOaMN92Ns4rsvj7uXLEkmCSJmoQDW9/a8/jDAt6/WJzmTuBy/cb

      j0p655txkM1l85VZWpgnUI6hLkRLGIq3HhiyO0kCgYBstt7HVu2z2RzzrFKCl9Ml

      Rb5XnmdQ7Xo5WRG5KNrPS9JkMH7x5QvNNtfy2TghnOk7uXgNvJanKAfATvaNa5Yc

      U3AaVVeZ/UMaGx47Pv5bq3yfbT2DTXrRvelrkoCY7ugyCppf9xV9xvmccbH3ngGc

      RVFGdtly6MI5mxLR+x0hQQKBgFDLBhnbP3hcdUWMiDfe53AEUe/xv1G9+aY6v4m4

      3xYOTDj5rN+pBpsmOs2zT9qvV/4Z8i/qcxoqMFiAaqwPAIhi9tagn8JtGh1jD4EP

      f19JWeFB1JsnPvgN+aiilCs966Z7diI/MzDW8gjzzrB6SADdijVQECpkZXLXrkcR

      MMy5AoGBALMu5LYEBJ6aRbxavpXd1Z58RzKcTSpDhfzwF+aODYBKuuf8+pZa8gHy

      ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W

      IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO

      -----END RSA PRIVATE KEY-----

    termination: edge
  to:
    kind: Service
    name: service-unsecure
    weight: 100
-----

* State of router after the addition: 
----
$ oc -n openshift-ingress logs router-badcerts-6497787bf8-lwwdr -c router
I0717 05:46:18.494905       1 reflector.go:175] Starting reflector *v1.Route (30m0s) from github.com/openshift/router/pkg/router/controller/factory/factory.go:116
I0717 05:46:18.495199       1 reflector.go:175] Starting reflector *v1.Endpoints (30m0s) from github.com/openshift/router/pkg/router/controller/factory/factory.go:116
I0717 05:46:18.651398       1 router.go:546] template "msg"="router reloaded"  "output"="[ALERT] 198/054618 (28) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2)\n - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0717 05:46:23.628108       1 router.go:546] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0717 05:46:28.752646       1 router.go:546] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0717 05:46:33.742070       1 router.go:546] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0717 05:46:38.759042       1 router.go:546] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0717 05:48:43.173573       1 router.go:546] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"

$ oc -n openshift-ingress rsh router-badcerts-6497787bf8-lwwdr    
Defaulting container name to router.
Use 'oc describe pod/router-badcerts-6497787bf8-lwwdr -n openshift-ingress' to see all of the containers in this pod.
sh-4.2$ cat /var/lib/haproxy/router/certs/
default.pem         test-1:myroute.pem  
sh-4.2$ cat /var/lib/haproxy/router/certs/
default.pem         test-1:myroute.pem  
----

* With non-patched version, the router will simple cease operation causing the disruption: 
-----
$ oc -n openshift-ingress logs router-badcerts-7b87f4bc9d-frxnl -c router
I0717 05:49:19.473713       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0717 05:53:23.919959       1 limiter.go:165] error reloading router: exit status 1
[ALERT] 198/055323 (772) : parsing [/var/lib/haproxy/conf/haproxy.config:124] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL certificate file '/var/lib/haproxy/router/certs/test-1:myroute.pem' file does not exist.
[ALERT] 198/055323 (772) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 198/055323 (772) : Fatal errors found in configuration.

$ oc -n openshift-ingress logs router-default-855d8dbf9
I0717 05:49:19.454111       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0717 05:53:23.905823       1 limiter.go:165] error reloading router: exit status 1
[ALERT] 198/055323 (1701) : parsing [/var/lib/haproxy/conf/haproxy.config:119] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL certificate file '/var/lib/haproxy/router/certs/test-1:myroute.pem' file does not exist.
[ALERT] 198/055323 (1701) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 198/055323 (1701) : Fatal errors found in configuration.
-----
Comment 10 errata-xmlrpc 2020-10-27 16:04:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196