1865784 – Termination type missing in route object for "passthrough" termination policy applied via annotation on ingress objects

Bug 1865784 - Termination type missing in route object for "passthrough" termination policy applied via annotation on ingress objects

Summary: Termination type missing in route object for "passthrough" termination policy...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	aaleman
QA Contact:	Arvind iyengar
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-04 07:23 UTC by Arvind iyengar
Modified:	2022-08-04 22:30 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:23:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift openshift-controller-manager pull 128	0	None	closed	Bug 1865784: Ingress to route controller: Make setting tls cert based on termination policy	2021-01-21 17:56:28 UTC
Red Hat Product Errata	RHBA-2020:4196	0	None	None	None	2020-10-27 16:23:27 UTC

Description Arvind iyengar 2020-08-04 07:23:12 UTC

Description of problem:
When setting the "passthrough" termination policy via annotation feature for the ingress object (Jira: NE-359). The ingress and the corresponding route object gets created but the "route" object does not have the "termination type" field set. This as a result cause the route to be unreachable.

Version-Release number of selected component (if applicable):
* 4.6.0-0.nightly-2020-08-03-025909

How reproducible:
* Always when creating ingress object with "passthrough" annotation. 

Steps to Reproduce:
1.Create and deploy ingress resource with "passthrough" annotation: 
----
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created
----

2. Check the output of "get" ingress and route commands:
3. Test the connection through the route. 

Actual results:
* The ingress and the corresponding route object gets created but the "termination type" is missing in the route:
----
$ oc get ingress
NAME             CLASS    HOSTS                                                                                 ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com             80      5s

$ oc get route
NAME                   HOST/PORT                                                                                        PATH   SERVICES         PORT    TERMINATION   WILDCARD
ingress-secure-ptmlq   service-secure-pr-124.internalapps.aiyengar-cioc46-3007.qe.devcluster.openshift.com ... 1 more          service-secure   https                 None    <--

$ oc get route ingress-secure-ptmlq -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
----

Expected results:
The termination type should be present in the route object for the router to identify it as passthrough. Reference to creating a default route object:
-----
$ oc create route passthrough passth --hostname=service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com --service=service-secure
route.route.openshift.io/passth created

$ oc get route
NAME     HOST/PORT                                                                                      PATH   SERVICES         PORT    TERMINATION   WILDCARD
passth   service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough   None

$ oc get route passth -o yaml
spec:
  host: service-secure-test-1.internalapps.aiyengar-oc46-0308.qe.devcluster.openshift.com
  port:
    targetPort: https
  tls:
    termination: passthrough <---
  to:
    kind: Service
    name: service-secure
    weight: 100
  wildcardPolicy: None
-----

Comment 1 Daneyon Hansen 2020-08-13 16:39:11 UTC

openshift openshift-controller-manager pull 128 is being worked and Miciah plans to review again.

Comment 2 Miciah Dashiel Butler Masters 2020-08-21 05:11:02 UTC

A fix for the issue is in progress; we'll continue working on it this upcoming sprint.

Comment 5 Arvind iyengar 2020-08-27 04:46:21 UTC

The merge made into "4.6.0-0.nightly-2020-08-26-022604" release version. It is noted that with the fix in place, ingress object with passthrough annotation now works properly and the corresponding route object get created correctly with the "termination" field set:
-----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-08-26-022604   True        False         26m     Cluster version is 4.6.0-0.nightly-2020-08-26-022604

$ cat ingress-passthrough.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-secure
  annotations:
    route.openshift.io/termination: "passthrough"
spec:
  rules:
  - host: service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com
    http:
      paths:
      - backend:
          serviceName: service-secure
          servicePort: 27443

$ oc create -f ingress-passthrough.yaml
ingress.extensions/ingress-secure created

$ oc get ingress
NAME             CLASS    HOSTS                                                                                     ADDRESS   PORTS   AGE
ingress-secure   <none>   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com             80      12m

$ oc get route
NAME                   HOST/PORT                                                                                            PATH   SERVICES         PORT    TERMINATION            WILDCARD
ingress-secure-przm4   service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com ... 1 more          service-secure   https   passthrough/Redirect   None

$ curl https://service-secure-blue-proj1.internalapps.oc46-1865784-patched.qe.devcluster.openshift.com/ -k   
Hello-OpenShift-1 https-8443
-----

Comment 7 errata-xmlrpc 2020-10-27 16:23:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.