1857023 – Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible

Bug 1857023 - Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible

Summary: Creating faulty(bad formatted cert&key) route makes other existing routes ina...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	3.11.0
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.3.z
Assignee:	Miciah Dashiel Butler Masters
QA Contact:	Arvind iyengar
Docs Contact:
URL:
Whiteboard:
Depends On:	1857022
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-15 00:34 UTC by OpenShift BugZilla Robot
Modified:	2022-08-04 22:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-23 13:52:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift router pull 152	0	None	closed	Bug 1857023: Sanitize TLS config that has key bundled with cert	2020-09-22 13:27:09 UTC
Red Hat Product Errata	RHBA-2020:3609	0	None	None	None	2020-09-23 13:53:02 UTC

Comment 1 Miciah Dashiel Butler Masters 2020-07-30 08:26:27 UTC

We'll track this 4.3 backport in the upcoming sprint.

Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:06:49 UTC

The 4.3.z backport is waiting on the 4.4.z backport (bug 1857022).  We'll continue tracking this in the upcoming sprint.

Comment 5 Arvind iyengar 2020-09-11 11:31:25 UTC

The test was performed with "4.3.0-0.nightly-2020-09-10-171754" payload. With this release version, we see the similar to other present y-stream release the router now accepts badly formatted cert/pem file and corrects them as well without any crash or failure:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.3.0-0.nightly-2020-09-10-171754   True        False         20m     Cluster version is 4.3.0-0.nightly-2020-09-10-171754

route creation:
$ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com  --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem
route.route.openshift.io/myroute created

$ oc get route myroute -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: "2020-09-11T11:22:47Z"
  labels:
    name: service-unsecure
  name: myroute
  namespace: test-1
...
..
spec:
  host: myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com
  port:
    targetPort: http
  tls:
    certificate: |+
      -----BEGIN CERTIFICATE-----

      MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD

      VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE

      nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs=

      -----END CERTIFICATE-----

      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm

      qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn
      ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W

      IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO

      -----END RSA PRIVATE KEY-----

    termination: edge

Router logs post the route addition:

$ oc -n openshift-ingress logs router-default-6c57c77f9-wmbvs --tail 10
I0911 11:17:10.686345       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:15.647428       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:20.642233       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:25.664322       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:30.667062       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:36.720674       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:41.700545       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0911 11:22:47.568003       1 limiter.go:140] error reloading router: wait: no child processes
 - Proxy protocol on, checking http://localhost:80 ...
 - Health check ok : 0 retry attempt(s).
-----

Comment 7 errata-xmlrpc 2020-09-23 13:52:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.3.38 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3609

Note You need to log in before you can comment on or make changes to this bug.