1934773 – Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP)

Bug 1934773 - Canary client should perform canary probes explicitly over HTTPS (rather than redirect from HTTP)

Summary: Canary client should perform canary probes explicitly over HTTPS (rather than...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.8.0
Assignee:	Stephen Greene
QA Contact:	Hongan Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1935891
TreeView+	depends on / blocked

Reported:	2021-03-03 19:56 UTC by Stephen Greene
Modified:	2022-11-14 13:33 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Ingress Operator's Canary Check Client sending canary requests over HTTP to load balancers that drop HTTP traffic. Consequence: Ingress operator becomes degraded after canary checks fail. Fix: Instead of relying on a redirect from the router, send canary check requests over HTTPS from the start. Result: Canary checks work for clusters that expose the default ingress controller via a load balancer that drops insecure HTTP traffic.
Clone Of:
Environment:
Last Closed:	2021-07-27 22:49:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-ingress-operator pull 562	0	None	closed	Bug 1934773: Canary: Perform canary test probes over https	2021-03-29 13:49:51 UTC
Red Hat Product Errata	RHSA-2021:2438	0	None	None	None	2021-07-27 22:51:00 UTC

Description Stephen Greene 2021-03-03 19:56:45 UTC

Description of problem:
The ingress operator's canary controller periodically probes the canary endpoint over HTTP. The canary route is an edge terminated route that redirects insecure traffic. Some customers, such as one mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1932401, expose the default ingress controller via an external load balancer that drops _all_ traffic to port 80, thus making an http -> https redirect impossible for the canary route.

The canary route should send probe requests over https only to mitigate this issue.

Comment 2 Hongan Li 2021-03-08 02:03:50 UTC

verified with 4.8.0-0.nightly-2021-03-06-055252 and passed.

$ oc version
Client Version: 4.8.0-0.nightly-2021-03-04-014703
Server Version: 4.8.0-0.nightly-2021-03-06-055252
Kubernetes Version: v1.20.0+aa519d9


checked the operator pod logs and found message below:
...Get \"https://canary-openshift-ingress-canary.apps.hongli-pxy.qe.devcluster.openshift.com\":

Comment 5 errata-xmlrpc 2021-07-27 22:49:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438

Note You need to log in before you can comment on or make changes to this bug.