1861501 – Ingress-Controller doesn't verify the generated haproxy config on a per-route level, allowing individual routes to break the whole ingress-controller

Bug 1861501 - Ingress-Controller doesn't verify the generated haproxy config on a per-route level, allowing individual routes to break the whole ingress-controller

Summary: Ingress-Controller doesn't verify the generated haproxy config on a per-route...

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	aos-network-edge-staff
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-28 19:08 UTC by aaleman
Modified:	2022-08-04 22:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-05 17:00:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description aaleman 2020-07-28 19:08:32 UTC

Description of problem:

* In https://bugzilla.redhat.com/show_bug.cgi?id=1861383 we hit a bug where a new HAProxy validation refused a route that worked on an older OCP version
* This resulted in the ingress-controller completely breaking


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
A single route that results in an invalid haproxy config can break the whole ingress-controller

Expected results:

A single route that results in an invalid haproxy config will not work but not affect any other routes




Additional info:

Comment 1 Andrew McDermott 2020-07-30 09:51:52 UTC


*** This bug has been marked as a duplicate of bug 1861383 ***

Comment 2 aaleman 2020-07-30 13:16:37 UTC

@Andrew McDermott Why is this marked as duplicate of 1861383? 1861383 is about one concrete bug we found, this one is about limiting the impact of any bug in that area. A single route should never be able to break the ingress-controller.

Comment 3 Andrew McDermott 2020-07-30 14:37:17 UTC

(In reply to aaleman from comment #2)
> @Andrew McDermott Why is this marked as duplicate of 1861383? 1861383 is
> about one concrete bug we found, this one is about limiting the impact of
> any bug in that area. A single route should never be able to break the
> ingress-controller.

(In hindsight) Perhaps I should have done it the other way around.

Verifying the config AOT would fix
https://bugzilla.redhat.com/show_bug.cgi?id=1861383, though I still
need to think how/where that error would be bubbled up.

Comment 4 Andrew McDermott 2020-07-30 15:14:20 UTC

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1857025

"Creating faulty(bad formatted cert&key) route makes other existing routes inaccessible"

Comment 5 Andrew McDermott 2020-07-30 15:15:06 UTC

I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 7 mfisher 2020-08-18 20:01:46 UTC

Target reset from 4.6 to 4.7 while investigation is either ongoing or not yet started.  Will be considered for earlier release versions when diagnosed and resolved.

Comment 8 Andrew McDermott 2020-09-10 11:52:44 UTC

I’m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 9 Andrew McDermott 2020-10-02 17:44:16 UTC

Tagging with UpcomingSprint while investigation is either ongoing or
pending. Will be considered for earlier release versions when
diagnosed and resolved.

Comment 10 Andrew McDermott 2020-10-23 16:04:40 UTC

Tagging with UpcomingSprint while investigation is either ongoing or
pending. Will be considered for earlier release versions when
diagnosed and resolved.

Comment 11 Andrew McDermott 2020-11-16 08:30:52 UTC

Tagging with UpcomingSprint while investigation is either ongoing or
pending. Will be considered for earlier release versions when
diagnosed and resolved.

Comment 12 Andrew McDermott 2020-12-04 16:52:26 UTC

Tagging with UpcomingSprint while investigation is either ongoing or
pending. Will be considered for earlier release versions when
diagnosed and resolved.

Comment 13 Andrew McDermott 2021-02-05 17:00:36 UTC

Close/deferred as will add this to our Jira backlog for enhancements.

Comment 14 Stephen Greene 2021-03-01 18:31:43 UTC

(In reply to Andrew McDermott from comment #13)
> Close/deferred as will add this to our Jira backlog for enhancements.

https://issues.redhat.com/browse/NE-557

Note You need to log in before you can comment on or make changes to this bug.