Bug 1857023 - Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible
Summary: Creating faulty(bad formatted cert&key) route makes other existing routes ina...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 3.11.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
: 4.3.z
Assignee: Miciah Dashiel Butler Masters
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1857022
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-15 00:34 UTC by OpenShift BugZilla Robot
Modified: 2020-09-23 13:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-23 13:52:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift router pull 152 None closed Bug 1857023: Sanitize TLS config that has key bundled with cert 2020-09-22 13:27:09 UTC
Red Hat Product Errata RHBA-2020:3609 None None None 2020-09-23 13:53:02 UTC

Comment 1 Miciah Dashiel Butler Masters 2020-07-30 08:26:27 UTC
We'll track this 4.3 backport in the upcoming sprint.

Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:06:49 UTC
The 4.3.z backport is waiting on the 4.4.z backport (bug 1857022).  We'll continue tracking this in the upcoming sprint.

Comment 5 Arvind iyengar 2020-09-11 11:31:25 UTC
The test was performed with "4.3.0-0.nightly-2020-09-10-171754" payload. With this release version, we see the similar to other present y-stream release the router now accepts badly formatted cert/pem file and corrects them as well without any crash or failure:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.3.0-0.nightly-2020-09-10-171754   True        False         20m     Cluster version is 4.3.0-0.nightly-2020-09-10-171754

route creation:
$ oc create route edge myroute --port=http --service=service-unsecure --hostname=myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com  --cert=/home/aiyengar/QE_OC_TASKS/kube-configs/1843856/1843856-bad.pem
route.route.openshift.io/myroute created

$ oc get route myroute -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  creationTimestamp: "2020-09-11T11:22:47Z"
  labels:
    name: service-unsecure
  name: myroute
  namespace: test-1
...
..
spec:
  host: myroute-test-1.internalapps.oc43-1857023-1109.qe.devcluster.openshift.com
  port:
    targetPort: http
  tls:
    certificate: |+
      -----BEGIN CERTIFICATE-----

      MIIGnTCCBYWgAwIBAgITMAABqrxgky5s36Pm5QAAAAGqvDANBgkqhkiG9w0BAQsFADBcMQswCQYD

      VQQGEwJCRTERMA8GA1UEChMIUHJveGltdXMxFTATBgNVBAsTDHByb3hpbXVzLmNvbTEjMCEGA1UE

      nK4M1zl3MdCXc4k0/ZjXEDuDIKWVfiG/RplQ4CtaXTh1ZXiVZDn75X/7jfs=

      -----END CERTIFICATE-----

      -----BEGIN RSA PRIVATE KEY-----

      MIIEowIBAAKCAQEA1zRtfzz4YVQ9lineLvM85bJUEBgzrMECZKr4GyVnZJs/dwYm

      qMNRxC1iNbaRBvuZ4WinTQGG1elbAhVrg23abMlbIScqyrkGGUYKpk2EbJks8mkn
      ZAzCWKsg7fgC+wBMreoQzYRimc4qUwhjpcWmAKwEO9Xgo3I0gRFLATgZPvgBtX0W

      IbzMGlK4fSSLl4OblFP+7cstzlAM2sKsOMDPXo1vAT+x10oik+dO

      -----END RSA PRIVATE KEY-----

    termination: edge

Router logs post the route addition:

$ oc -n openshift-ingress logs router-default-6c57c77f9-wmbvs --tail 10
I0911 11:17:10.686345       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:15.647428       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:20.642233       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:25.664322       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:30.667062       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:36.720674       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0911 11:17:41.700545       1 router.go:548] template "level"=0 "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
E0911 11:22:47.568003       1 limiter.go:140] error reloading router: wait: no child processes
 - Proxy protocol on, checking http://localhost:80 ...
 - Health check ok : 0 retry attempt(s).
-----

Comment 7 errata-xmlrpc 2020-09-23 13:52:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.3.38 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3609


Note You need to log in before you can comment on or make changes to this bug.