1989005 – router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com"

Bug 1989005 - router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com"

Summary: router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatt...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.9.0
Assignee:	Miciah Dashiel Butler Masters
QA Contact:	jechen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-02 09:24 UTC by Hongan Li
Modified:	2022-08-04 22:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-18 17:43:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift cluster-ingress-operator pull 643	0	None	None	None	2021-08-17 00:48:51 UTC
Red Hat Product Errata	RHSA-2021:3759	0	None	None	None	2021-10-18 17:43:58 UTC

Description Hongan Li 2021-08-02 09:24:11 UTC

Description of problem:
router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com"

OpenShift release version:
4.9.0-0.nightly-2021-08-01-132055

Cluster Platform:
AWS

How reproducible:
100%

Steps to Reproduce (in detail):
1. edit ingresscontroller/defalt as below
spec:
  clientTLS:
    allowedSubjectPatterns:
    - '*.openshift.com'
    clientCA:
      name: test-client-ca
    clientCertificatePolicy: Optional

2.



Actual results:
$ oc -n openshift-ingress logs router-default-75b446bff6-bb6z6
I0802 09:19:58.529496       1 template.go:437] router "msg"="starting router"  "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: dca0c64df1dcc00042218714ed3326fea1d9221e\nversionFromGit: 4.0.0-343-gdca0c64d\ngitTreeState: clean\nbuildDate: 2021-07-30T13:54:05Z\n"
I0802 09:19:58.531999       1 metrics.go:155] metrics "msg"="router health and metrics port listening on HTTP and HTTPS"  "address"="0.0.0.0:1936"
I0802 09:19:58.547116       1 router.go:191] template "msg"="creating a new template router"  "writeDir"="/var/lib/haproxy"
I0802 09:19:58.547223       1 router.go:273] template "msg"="router will coalesce reloads within an interval of each other"  "interval"="5s"
I0802 09:19:58.547588       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/private"
I0802 09:19:58.547694       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/client-ca"
I0802 09:19:58.547776       1 router.go:337] template "msg"="watching for changes"  "path"="/etc/pki/tls/client-ca-crl"
I0802 09:19:58.547836       1 router.go:262] router "msg"="router is including routes in all namespaces"  
E0802 09:19:58.672567       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
E0802 09:19:58.720471       1 limiter.go:165] error reloading router: exit status 1
[NOTICE] 213/091958 (18) : haproxy version is 2.2.15-5e8f49d
[NOTICE] 213/091958 (18) : path to executable is /usr/sbin/haproxy
[ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3).
[ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'.
[ALERT] 213/091958 (18) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config
E0802 09:20:03.659815       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
E0802 09:20:03.676073       1 limiter.go:165] error reloading router: exit status 1
[NOTICE] 213/092003 (22) : haproxy version is 2.2.15-5e8f49d
[NOTICE] 213/092003 (22) : path to executable is /usr/sbin/haproxy
[ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3).
[ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'.
[ALERT] 213/092003 (22) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config



Expected results:
router pod should works well

Impact of the problem:


Additional info:



** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report.  You may also mark the bug private if you wish.

Comment 2 jechen 2021-08-25 23:47:10 UTC

Verified in 4.9.0-0.nightly-2021-08-25-185404

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-08-25-185404   True        False         10m     Cluster version is 4.9.0-0.nightly-2021-08-25-185404

$ oc -n openshift-ingress get pod
NAME                              READY   STATUS    RESTARTS   AGE
router-default-795d87f7c5-bttnh   1/1     Running   0          109s
router-default-795d87f7c5-w8df7   1/1     Running   0          109s


$ oc -n openshift-ingress-operator edit ingresscontroller/default
ingresscontroller.operator.openshift.io/default edited
<--snip-->
spec:
  clientTLS:
    allowedSubjectPatterns:
    - '*.openshift.com'
    clientCA:
      name: test-client-ca
    clientCertificatePolicy: Optional
<--snip-->

$ oc -n openshift-ingress get pod
NAME                              READY   STATUS    RESTARTS   AGE
router-default-795d87f7c5-bttnh   1/1     Running   0          5m29s
router-default-795d87f7c5-w8df7   1/1     Running   0          5m29s


router pods did not crash with spec.clientTLS.allowedSubjectPatterns set to "*.openshift.com"

Comment 5 errata-xmlrpc 2021-10-18 17:43:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759

Note You need to log in before you can comment on or make changes to this bug.