Bug 1857021 - Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible
Summary: Creating faulty(bad formatted cert&key) route makes other existing routes ina...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
: 4.5.z
Assignee: Miciah Dashiel Butler Masters
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1843856
Blocks: 1857022
TreeView+ depends on / blocked
 
Reported: 2020-07-15 00:33 UTC by OpenShift BugZilla Robot
Modified: 2022-08-04 22:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1857025 (view as bug list)
Environment:
Last Closed: 2020-08-17 20:05:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 150 0 None closed [release-4.5] Bug 1857021: Sanitize TLS config that has key bundled with cert 2021-02-16 07:26:40 UTC
Red Hat Product Errata RHBA-2020:3330 0 None None None 2020-08-17 20:06:19 UTC

Comment 1 Miciah Dashiel Butler Masters 2020-07-30 08:26:01 UTC
We'll track this 4.5 backport in the upcoming sprint.

Comment 4 Arvind iyengar 2020-08-10 12:50:08 UTC
The PR merge has been introduced in "4.5.0-0.nightly-2020-08-06-215703". With this payload it is noted that improperly formatted PEM/CERT file containing the crt and the key in one file does not disrupt the router operation with certificate loading errors. The route gets admitted and the specific tls file gets add in the router: 
------
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.5.0-0.nightly-2020-08-06-215703   True        False         5h54m   Cluster version is 4.5.0-0.nightly-2020-08-06-215703

$ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.internalapps.oc45-0708-1857021.qe.devcluster.openshift.com   --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem

$ oc get route myroute -o yaml 
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: "2020-08-10T12:22:30Z"
  labels:
    name: service-unsecure
spec:
  host: myroute-test-1.internalapps.oc45-0708-1857021.qe.devcluster.openshift.com
  port:
    targetPort: http
  tls:
    certificate: |+
      -----BEGIN CERTIFICATE-----

      MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD

      VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE

      AxMaUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EwHhcNMTkxMjE4MTMyNjAyWhcNMjMxMjE3MTMy

      NjAyWjB+MQswCQYDVQQGEwJCRTESMBAGA1UECBMJQnJ1eGVsbGVzMRIwEAYDVQQHEwlCcnV4ZWxs

      ZXMxETAPBgNVBAoTCFByb3hpbXVzMRAwDgYDVQQLEwdhcHA6Q0FTMRAwDgYDVQQLEwdlbnY6SVRU

      MRAwDgYDVQQDEwdjYXMtaXR0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1zRtfzz4

      YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYmqMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23a

      bMlbIScqyrkGGUYKpk2EbJks8mknbg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eY

      D72CY9Y/W3JNXpBTCo/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzP

      Y+PKr7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvTAef2ejoi

      RDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABo4IDNDCCAzAwFwYDVR0RBBAwDoIMKi5jYXMtaXR0

      LmJjMB0GA1UdDgQWBBSKprlJES+sEaWsl9BT0o4xCMb+EzAfBgNVHSMEGDAWgBR5Emj+qCgHXLhQ

      YtQjy28phKIenDCCAR4GA1UdHwSCARUwggERMIIBDaCCAQmgggEFhkBodHRwOi8vY3JsYWlhLnBy

      b3hpbXVzLmNvbS9DUkxBSUEvUHJveGltdXNDb3Jwb3JhdGVJc3N1aW5nQ0EuY3JshoHAbGRhcDov

      Ly9DTj1Qcm94aW11c0NvcnBvcmF0ZUlzc3VpbmdDQSxDTj1BMDcyMDUsQ049Q0RQLENOPVB1Ymxp

      YyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9RFMtUk9P

      VCxEQz1ORVQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp

      c3RyaWJ1dGlvblBvaW50MIIBHAYIKwYBBQUHAQEEggEOMIIBCjBMBggrBgEFBQcwAoZAaHR0cDov

      L2NybGFpYS5wcm94aW11cy5jb20vQ1JMQUlBL1Byb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLmNy

      dDCBuQYIKwYBBQUHMAKGgaxsZGFwOi8vL0NOPVByb3hpbXVzQ29ycG9yYXRlSXNzdWluZ0NBLENO

      PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0

      aW9uLERDPURTLVJPT1QsREM9TkVUP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0

      aWZpY2F0aW9uQXV0aG9yaXR5MAsGA1UdDwQEAwIFoDA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3

      FQiGmJdLhIC8aIT5hwOEpMxehq65RIEwhoThUYfBqlgCAWQCAXQwHQYDVR0lBBYwFAYIKwYBBQUH

      AwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDQYJ

      KoZIhvcNAQELBQADggEBACDJKjSjOB6GxC+qtlIVFckvhPrj3QmoH0l0YbVad4jHDvkOB3AHsfB9

      e4MPGYf8OtRVqNJgNjrbrsEacOMIBPXJ/sTDT+OxMMA+hqUCWrgR4S+Pj52hCcU9+ENP5Wt8PRv3

      kojNbKO+nC6AydKI0E1DX0ZFV3S622ZDKK7oNvMeWGQN4VE+FsCE5La/pTmeoyqk3lwo+NS50aML

      /u6vZUeHkxS3NTsBckuFBi0eAO5Ipi2LwhGAgYDtu0H6R4plTvpsvkgCuNPdTRj+8dm3M+qjTY+f

      nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs=

      -----END CERTIFICATE-----

      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm

      qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn

      bg7DK3Hzxv+3tkmrPoK9CDi8D4IaA1Z4Bt9QAOEh1gQcs8eYD72CY9Y/W3JNXpBT

      Co/+qt5+bBvZwVcaPikmcUz90EiAcsN68UvcQ/TdhP0lSNbBqB+9r19F5fzPY+PK

      r7LhgW8RSbL6+a/oku61C2rzC5q5tHZ0jxoHfKzyECqVg77m/pu7WAEiDh3Z1CvT

      Aef2ejoiRDEG4f/qASlGjZvc4qZyk3M8aID1UQIDAQABAoIBAGNhscNVq7p+xaYo

      FZQG/jNxJAL+ujZoN6u3jLY0ksfSLf/QVmAPOx5mevklI1pfLJP82W3la5gzmLSg

      obLjM0CTyELKLKfLxDY9s0NTfvkLz8buqqfXp2fTyuk2RGepI6zNgXBfivF6enra

      HrnFvNN7JD4KThrz7JQwRxvF4CJhEO8eVs0QcgVtVMIEr8y3xy8Fw45EhVm6TYj1

      AaW0Unm/SjYntdctNHWlSN0DiSD5QnMeJAapi/+WHGPeVAJnQdCsnLG1pTYWzh1/

      sf8e6TqlLY/md1a8r0D2KzbjmRzdmlTp7rgft4MlZRRonLCuGIR1PlEgeaBGOpIS

      EcLAZkECgYEA7Q0czsilQwoF+AndYDuaT6mhQ3+dvLgSUcugfMkLlcJHrs1mKVOW

      Zy+JhRYaQgCAT+HqHtatPhBYG3MCfYf35AIDhjaHLtpuLRfaCEoUziM7CJn4GbbN

      XaE+s3HUFE0kvDmdj3IuGotXCxEW5/JQffsSs9I1pAfPxwMsD6eMIckCgYEA6GhD

      BilXsjKx2b+5kxBi3l3YpyZdO/vErIGkviuVguiv/+Lw22bZpueD52S60TDxPYTU

      TMZKMJ+V9Un7lAOaMN92Ns4rsvj7uXLEkmCSJmoQDW9/a8/jDAt6/WJzmTuBy/cb

      j0p655txkM1l85VZWpgnUI6hLkRLGIq3HhiyO0kCgYBstt7HVu2z2RzzrFKCl9Ml

      Rb5XnmdQ7Xo5WRG5KNrPS9JkMH7x5QvNNtfy2TghnOk7uXgNvJanKAfATvaNa5Yc

      U3AaVVeZ/UMaGx47Pv5bq3yfbT2DTXrRvelrkoCY7ugyCppf9xV9xvmccbH3ngGc

      RVFGdtly6MI5mxLR+x0hQQKBgFDLBhnbP3hcdUWMiDfe53AEUe/xv1G9+aY6v4m4

      3xYOTDj5rN+pBpsmOs2zT9qvV/4Z8i/qcxoqMFiAaqwPAIhi9tagn8JtGh1jD4EP

      f19JWeFB1JsnPvgN+aiilCs966Z7diI/MzDW8gjzzrB6SADdijVQECpkZXLXrkcR

      MMy5AoGBALMu5LYEBJ6aRbxavpXd1Z58RzKcTSpDhfzwF+aODYBKuuf8+pZa8gHy

      ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W

      IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO

      -----END RSA PRIVATE KEY-----

    termination: edge
  to:
    kind: Service
    name: service-unsecure
    weight: 100
  wildcardPolicy: None
------

* State of router after the addition: 
------
$ oc -n openshift-ingress logs deployment/router-default --tail 10                
Found 2 pods, using pod/router-default-9cc86d86f-xff87
I0810 12:19:39.544251       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:19:44.508637       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:19:50.025290       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:19:55.004135       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:20:00.000453       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:20:04.999825       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"

sh-4.2$ ls /var/lib/haproxy/router/certs/test-1\:myroute.pem 
/var/lib/haproxy/router/certs/test-1:myroute.pem
------


* With non-patched version, the router will simple cease operation causing the disruption: 
-----
$ oc -n openshift-ingress logs deployment/router-default --tail 10         
Found 2 pods, using pod/router-default-5c668d6797-rws8b
I0810 12:35:46.380978       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:35:51.359067       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:35:57.786903       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:36:02.765645       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:36:07.767021       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0810 12:36:12.768601       1 router.go:528] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0810 12:36:56.514201       1 limiter.go:165] error reloading router: exit status 1
[ALERT] 222/123656 (630) : parsing [/var/lib/haproxy/conf/haproxy.config:119] : 'bind 127.0.0.1:10444' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load SSL certificate file '/var/lib/haproxy/router/certs/test-1:myroute.pem' file does not exist.
[ALERT] 222/123656 (630) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
[ALERT] 222/123656 (630) : Fatal errors found in configuration.
-----

Comment 6 errata-xmlrpc 2020-08-17 20:05:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3330


Note You need to log in before you can comment on or make changes to this bug.