We'll track this 4.5 backport in the upcoming sprint.
The PR merge has been introduced in "4.5.0-0.nightly-2020-08-06-215703". With this payload it is noted that improperly formatted PEM/CERT file containing the crt and the key in one file does not disrupt the router operation with certificate loading errors. The route gets admitted and the specific tls file gets add in the router: ------ $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-08-06-215703 True False 5h54m Cluster version is 4.5.0-0.nightly-2020-08-06-215703 $ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.internalapps.oc45-0708-1857021.qe.devcluster.openshift.com --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem $ oc get route myroute -o yaml apiVersion: route.openshift.io/v1 kind: Route metadata: creationTimestamp: "2020-08-10T12:22:30Z" labels: name: service-unsecure spec: host: myroute-test-1.internalapps.oc45-0708-1857021.qe.devcluster.openshift.com port: targetPort: http tls: certificate: |+ -----BEGIN CERTIFICATE----- MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE AxMaUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EwHhcNMTkxMjE4MTMyNjAyWhcNMjMxMjE3MTMy NjAyWjB+MQswCQYDVQQGEwJCRTESMBAGA1UECBMJQnJ1eGVsbGVzMRIwEAYDVQQHEwlCcnV4ZWxs ZXMxETAPBgNVBAoTCFByb3hpbXVzMRAwDgYDVQQLEwdhcHA6Q0FTMRAwDgYDVQQLEwdlbnY6SVRU MRAwDgYDVQQDEwdjYXMtaXR0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zRtfzz4 YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYmqMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23a bMlbIScqyrkGGUYKpk2EbJks8mknbg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eY D72CY9Y/W3JNXpBTCo/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzP Y+PKr7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvTAef2ejoi RDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABo4IDNDCCAzAwFwYDVR0RBBAwDoIMKi5jYXMtaXR0 LmJjMB0GA1UdDgQWBBSKprlJES+sEaWsl9BT0o4xCMb+EzAfBgNVHSMEGDAWgBR5Emj+qCgHXLhQ YtQjy28phKIenDCCAR4GA1UdHwSCARUwggERMIIBDaCCAQmgggEFhkBodHRwOi8vY3JsYWlhLnBy b3hpbXVzLmNvbS9DUkxBSUEvUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EuY3JshoHAbGRhcDov Ly9DTj1Qcm94aW11c0NvcnBvcmF0ZUlzc3VpbmdDQSxDTj1BMDcyMDUsQ049Q0RQLENOPVB1Ymxp YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RFMtUk9P VCxEQz1ORVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp c3RyaWJ1dGlvblBvaW50MIIBHAYIKwYBBQUHAQEEggEOMIIBCjBMBggrBgEFBQcwAoZAaHR0cDov L2NybGFpYS5wcm94aW11cy5jb20vQ1JMQUlBL1Byb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLmNy dDCBuQYIKwYBBQUHMAKGgaxsZGFwOi8vL0NOPVByb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLENO PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0 aW9uLERDPURTLVJPT1QsREM9TkVUP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0 aWZpY2F0aW9uQXV0aG9yaXR5MAsGA1UdDwQEAwIFoDA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3 FQiGmJdLhIC8aIT5hwOEpMxehq65RIEwhoThUYfBqlgCAWQCAXQwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDQYJ KoZIhvcNAQELBQADggEBACDJKjSjOB6GxC+qtlIVFckvhPrj3QmoH0l0YbVad4jHDvkOB3AHsfB9 e4MPGYf8OtRVqNJgNjrbrsEacOMIBPXJ/sTDT+OxMMA+hqUCWrgR4S+Pj52hCcU9+ENP5Wt8PRv3 kojNbKO+nC6AydKI0E1DX0ZFV3S622ZDKK7oNvMeWGQN4VE+FsCE5La/pTmeoyqk3lwo+NS50aML /u6vZUeHkxS3NTsBckuFBi0eAO5Ipi2LwhGAgYDtu0H6R4plTvpsvkgCuNPdTRj+8dm3M+qjTY+f nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn bg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eYD72CY9Y/W3JNXpBT Co/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzPY+PK r7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvT Aef2ejoiRDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABAoIBAGNhscNVq7p+xaYo FZQG/jNxJAL+ujZoN6u3jLY0ksfSLf/QVmAPOx5mevklI1pfLJP82W3la5gzmLSg obLjM0CTyELKLKfLxDY9s0NTfvkLz8buqqfXp2fTyuk2RGepI6zNgXBfivF6enra HrnFvNN7JD4KThrz7JQwRxvF4CJhEO8eVs0QcgVtVMIEr8y3xy8Fw45EhVm6TYj1 AaW0Unm/SjYntdctNHWlSN0DiSD5QnMeJAapi/+WHGPeVAJnQdCsnLG1pTYWzh1/ sf8e6TqlLY/md1a8r0D2KzbjmRzdmlTp7rgft4MlZRRonLCuGIR1PlEgeaBGOpIS EcLAZkECgYEA7Q0czsilQwoF+AndYDuaT6mhQ3+dvLgSUcugfMkLlcJHrs1mKVOW Zy+JhRYaQgCAT+HqHtatPhBYG3MCfYf35AIDhjaHLtpuLRfaCEoUziM7CJn4GbbN XaE+s3HUFE0kvDmdj3IuGotXCxEW5/JQffsSs9I1pAfPxwMsD6eMIckCgYEA6GhD BilXsjKx2b+5kxBi3l3YpyZdO/vErIGkviuVguiv/+Lw22bZpueD52S60TDxPYTU TMZKMJ+V9Un7lAOaMN92Ns4rsvj7uXLEkmCSJmoQDW9/a8/jDAt6/WJzmTuBy/cb j0p655txkM1l85VZWpgnUI6hLkRLGIq3HhiyO0kCgYBstt7HVu2z2RzzrFKCl9Ml Rb5XnmdQ7Xo5WRG5KNrPS9JkMH7x5QvNNtfy2TghnOk7uXgNvJanKAfATvaNa5Yc U3AaVVeZ/UMaGx47Pv5bq3yfbT2DTXrRvelrkoCY7ugyCppf9xV9xvmccbH3ngGc RVFGdtly6MI5mxLR+x0hQQKBgFDLBhnbP3hcdUWMiDfe53AEUe/xv1G9+aY6v4m4 3xYOTDj5rN+pBpsmOs2zT9qvV/4Z8i/qcxoqMFiAaqwPAIhi9tagn8JtGh1jD4EP f19JWeFB1JsnPvgN+aiilCs966Z7diI/MzDW8gjzzrB6SADdijVQECpkZXLXrkcR MMy5AoGBALMu5LYEBJ6aRbxavpXd1Z58RzKcTSpDhfzwF+aODYBKuuf8+pZa8gHy ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO -----END RSA PRIVATE KEY----- termination: edge to: kind: Service name: service-unsecure weight: 100 wildcardPolicy: None ------ * State of router after the addition: ------ $ oc -n openshift-ingress logs deployment/router-default --tail 10 Found 2 pods, using pod/router-default-9cc86d86f-xff87 I0810 12:19:39.544251 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:19:44.508637 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:19:50.025290 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:19:55.004135 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:20:00.000453 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:20:04.999825 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" sh-4.2$ ls /var/lib/haproxy/router/certs/test-1\:myroute.pem /var/lib/haproxy/router/certs/test-1:myroute.pem ------ * With non-patched version, the router will simple cease operation causing the disruption: ----- $ oc -n openshift-ingress logs deployment/router-default --tail 10 Found 2 pods, using pod/router-default-5c668d6797-rws8b I0810 12:35:46.380978 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:35:51.359067 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:35:57.786903 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:36:02.765645 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:36:07.767021 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" I0810 12:36:12.768601 1 router.go:528] template "msg"="router reloaded" "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n" E0810 12:36:56.514201 1 limiter.go:165] error reloading router: exit status 1 [ALERT] 222/123656 (630) : parsing [/var/lib/haproxy/conf/haproxy.config:119] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL certificate file '/var/lib/haproxy/router/certs/test-1:myroute.pem' file does not exist. [ALERT] 222/123656 (630) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config [ALERT] 222/123656 (630) : Fatal errors found in configuration. -----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5.6 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3330