Bug 1932649 - Cluster Ingress Operator degrades if external LB redirects http to https because of new "canary" route
Summary: Cluster Ingress Operator degrades if external LB redirects http to https beca...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: All
OS: Linux
Target Milestone: ---
: 4.7.z
Assignee: Stephen Greene
QA Contact: Hongan Li
Depends On: 1932401
TreeView+ depends on / blocked
Reported: 2021-02-24 20:26 UTC by Stephen Greene
Modified: 2022-08-04 22:32 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Exposing the default ingress controller via an external load balancer that redirects all HTTP traffic to HTTPS Consequence: Ingress Canary endpoint checks performed by the ingress operator would fail, which would ultimately cause the ingress cluster operator to become degraded. Fix: Convert the cleartext canary route to an edge encrypted route. Result: The canary route works via HTTPS only load balancers, when insecure traffic is redirected by the load balancer.
Clone Of: 1932401
Last Closed: 2021-03-10 11:24:00 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 558 0 None open [release-4.7] Bug 1932649: Canary: Add edge termination to canary route 2021-02-25 20:57:52 UTC
Red Hat Product Errata RHBA-2021:0678 0 None None None 2021-03-10 11:24:31 UTC

Description Stephen Greene 2021-02-24 20:26:44 UTC
+++ This bug was initially created as a clone of Bug #1932401 +++


in my company we use an external load balancer that redirects HTTP traffic to HTTPS.

During an upgrade from 4.6 to 4.7 the cluster-ingress-operator degraded because it couldn't reach the new canary route in openshift-ingress-canary.

I saw that this canary route is a HTTP route. This won't work in our setup.

I manually added edge termination to this route and immediately the upgrade proceeded.

This is a PR that should add 'edge' termination to the canary route:

Thanks and regards,


Comment 3 Hongan Li 2021-03-04 04:01:19 UTC
verified with 4.7.0-0.nightly-2021-03-04-004412 and passed.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-03-04-004412   True        False         88m     Cluster version is 4.7.0-0.nightly-2021-03-04-004412

$ oc -n openshift-ingress-canary get route
NAME     HOST/PORT                                                                            PATH   SERVICES         PORT   TERMINATION     WILDCARD
canary   canary-openshift-ingress-canary.apps.hongli-47bv.qe.azure.devcluster.openshift.com          ingress-canary   8080   edge/Redirect   None

$ curl -k https://canary-openshift-ingress-canary.apps.hongli-47bv.qe.azure.devcluster.openshift.com 
Hello OpenShift!

$ curl -kL http://canary-openshift-ingress-canary.apps.hongli-47bv.qe.azure.devcluster.openshift.com 
Hello OpenShift!

Comment 6 errata-xmlrpc 2021-03-10 11:24:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.1 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.