Bug 1989005
| Summary: | router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Hongan Li <hongli> |
| Component: | Networking | Assignee: | Miciah Dashiel Butler Masters <mmasters> |
| Networking sub component: | router | QA Contact: | jechen <jechen> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | aos-bugs, jechen, mmasters |
| Version: | 4.9 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:43:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified in 4.9.0-0.nightly-2021-08-25-185404
$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.9.0-0.nightly-2021-08-25-185404 True False 10m Cluster version is 4.9.0-0.nightly-2021-08-25-185404
$ oc -n openshift-ingress get pod
NAME READY STATUS RESTARTS AGE
router-default-795d87f7c5-bttnh 1/1 Running 0 109s
router-default-795d87f7c5-w8df7 1/1 Running 0 109s
$ oc -n openshift-ingress-operator edit ingresscontroller/default
ingresscontroller.operator.openshift.io/default edited
<--snip-->
spec:
clientTLS:
allowedSubjectPatterns:
- '*.openshift.com'
clientCA:
name: test-client-ca
clientCertificatePolicy: Optional
<--snip-->
$ oc -n openshift-ingress get pod
NAME READY STATUS RESTARTS AGE
router-default-795d87f7c5-bttnh 1/1 Running 0 5m29s
router-default-795d87f7c5-w8df7 1/1 Running 0 5m29s
router pods did not crash with spec.clientTLS.allowedSubjectPatterns set to "*.openshift.com"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
Description of problem: router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com" OpenShift release version: 4.9.0-0.nightly-2021-08-01-132055 Cluster Platform: AWS How reproducible: 100% Steps to Reproduce (in detail): 1. edit ingresscontroller/defalt as below spec: clientTLS: allowedSubjectPatterns: - '*.openshift.com' clientCA: name: test-client-ca clientCertificatePolicy: Optional 2. Actual results: $ oc -n openshift-ingress logs router-default-75b446bff6-bb6z6 I0802 09:19:58.529496 1 template.go:437] router "msg"="starting router" "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: dca0c64df1dcc00042218714ed3326fea1d9221e\nversionFromGit: 4.0.0-343-gdca0c64d\ngitTreeState: clean\nbuildDate: 2021-07-30T13:54:05Z\n" I0802 09:19:58.531999 1 metrics.go:155] metrics "msg"="router health and metrics port listening on HTTP and HTTPS" "address"="0.0.0.0:1936" I0802 09:19:58.547116 1 router.go:191] template "msg"="creating a new template router" "writeDir"="/var/lib/haproxy" I0802 09:19:58.547223 1 router.go:273] template "msg"="router will coalesce reloads within an interval of each other" "interval"="5s" I0802 09:19:58.547588 1 router.go:337] template "msg"="watching for changes" "path"="/etc/pki/tls/private" I0802 09:19:58.547694 1 router.go:337] template "msg"="watching for changes" "path"="/etc/pki/tls/client-ca" I0802 09:19:58.547776 1 router.go:337] template "msg"="watching for changes" "path"="/etc/pki/tls/client-ca-crl" I0802 09:19:58.547836 1 router.go:262] router "msg"="router is including routes in all namespaces" E0802 09:19:58.672567 1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory E0802 09:19:58.720471 1 limiter.go:165] error reloading router: exit status 1 [NOTICE] 213/091958 (18) : haproxy version is 2.2.15-5e8f49d [NOTICE] 213/091958 (18) : path to executable is /usr/sbin/haproxy [ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3). [ALERT] 213/091958 (18) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'. [ALERT] 213/091958 (18) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config E0802 09:20:03.659815 1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory E0802 09:20:03.676073 1 limiter.go:165] error reloading router: exit status 1 [NOTICE] 213/092003 (22) : haproxy version is 2.2.15-5e8f49d [NOTICE] 213/092003 (22) : path to executable is /usr/sbin/haproxy [ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:142] : error detected while parsing ACL 'cert_cn_matches' : regex '(?:*.openshift.com)' is invalid (error=nothing to repeat, erroffset=3). [ALERT] 213/092003 (22) : parsing [/var/lib/haproxy/conf/haproxy.config:143] : error detected while parsing an 'http-request deny' condition : no such ACL : 'cert_cn_matches'. [ALERT] 213/092003 (22) : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config Expected results: router pod should works well Impact of the problem: Additional info: ** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report. You may also mark the bug private if you wish.