Bug 1934773 - Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP)
Summary: Canary client should perform canary probes explicitly over HTTPS (rather than...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Stephen Greene
QA Contact: Hongan Li
Depends On:
Blocks: 1935891
TreeView+ depends on / blocked
Reported: 2021-03-03 19:56 UTC by Stephen Greene
Modified: 2022-11-14 13:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Ingress Operator's Canary Check Client sending canary requests over HTTP to load balancers that drop HTTP traffic. Consequence: Ingress operator becomes degraded after canary checks fail. Fix: Instead of relying on a redirect from the router, send canary check requests over HTTPS from the start. Result: Canary checks work for clusters that expose the default ingress controller via a load balancer that drops insecure HTTP traffic.
Clone Of:
Last Closed: 2021-07-27 22:49:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-ingress-operator pull 562 0 None closed Bug 1934773: Canary: Perform canary test probes over https 2021-03-29 13:49:51 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:51:00 UTC

Description Stephen Greene 2021-03-03 19:56:45 UTC
Description of problem:
The ingress operator's canary controller periodically probes the canary endpoint over HTTP. The canary route is an edge terminated route that redirects insecure traffic. Some customers, such as one mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1932401, expose the default ingress controller via an external load balancer that drops _all_ traffic to port 80, thus making an http -> https redirect impossible for the canary route.

The canary route should send probe requests over https only to mitigate this issue.

Comment 2 Hongan Li 2021-03-08 02:03:50 UTC
verified with 4.8.0-0.nightly-2021-03-06-055252 and passed.

$ oc version
Client Version: 4.8.0-0.nightly-2021-03-04-014703
Server Version: 4.8.0-0.nightly-2021-03-06-055252
Kubernetes Version: v1.20.0+aa519d9

checked the operator pod logs and found message below:
...Get \"https://canary-openshift-ingress-canary.apps.hongli-pxy.qe.devcluster.openshift.com\":

Comment 5 errata-xmlrpc 2021-07-27 22:49:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.