Bug 1865784 - Termination type missing in route object for "passthrough" termination policy applied via annotation on ingress objects
Summary: Termination type missing in route object for "passthrough" termination policy...
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.6.0
Assignee: aaleman
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-04 07:23 UTC by Arvind iyengar
Modified: 2020-08-27 04:46 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift openshift-controller-manager pull 128 None closed Bug 1865784: Ingress to route controller: Make setting tls cert based on termination policy 2020-09-08 10:00:20 UTC

Description Arvind iyengar 2020-08-04 07:23:12 UTC
Description of problem:
When setting the "passthrough" termination policy via annotation feature for the ingress object (Jira: NE-359). The ingress and the corresponding route object gets created but the "route" object does not have the "termination type" field set. This as a result cause the route to be unreachable.

Version-Release number of selected component (if applicable):
* 4.6.0-0.nightly-2020-08-03-025909

How reproducible:
* Always when creating ingress object with "passthrough" annotation. 

Steps to Reproduce:
1.Create and deploy ingress resource with "passthrough" annotation: 
----
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created
----

2. Check the output of "get" ingress and route commands:
3. Test the connection through the route. 

Actual results:
* The ingress and the corresponding route object gets created but the "termination type" is missing in the route:
----
$ oc get ingress
NAME             CLASS    HOSTS                                                                                 ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com             80      5s

$ oc get route
NAME                   HOST/PORT                                                                                        PATH   SERVICES         PORT    TERMINATION   WILDCARD
ingress-secure-ptmlq   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com ... 1 more          service-secure   https                 None    <--

$ oc get route ingress-secure-ptmlq -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
----

Expected results:
The termination type should be present in the route object for the router to identify it as passthrough. Reference to creating a default route object:
-----
$ oc create route passthrough passth --hostname=service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com --service=service-secure
route.route.openshift.io/passth created

$ oc get route
NAME     HOST/PORT                                                                                      PATH   SERVICES         PORT    TERMINATION   WILDCARD
passth   service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough   None

$ oc get route passth -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  tls:
    termination: passthrough <---
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
-----

Comment 1 Daneyon Hansen 2020-08-13 16:39:11 UTC
openshift openshift-controller-manager pull 128 is being worked and Miciah plans to review again.

Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:11:02 UTC
A fix for the issue is in progress; we'll continue working on it this upcoming sprint.

Comment 5 Arvind iyengar 2020-08-27 04:46:21 UTC
The merge made into "4.6.0-0.nightly-2020-08-26-022604" release version. It is noted that with the fix in place, ingress object with passthrough annotation now works properly and the corresponding route object get created correctly with the "termination" field set:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-08-26-022604   True        False         26m     Cluster version is 4.6.0-0.nightly-2020-08-26-022604

$ cat ingress-passthrough.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created

$ oc get ingress
NAME             CLASS    HOSTS                                                                                     ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com             80      12m

$ oc get route
NAME                   HOST/PORT                                                                                            PATH   SERVICES         PORT    TERMINATION            WILDCARD
ingress-secure-przm4   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough/Redirect   None

$ curl https://service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com/ -k   
Hello-OpenShift-1 https-8443
-----


Note You need to log in before you can comment on or make changes to this bug.