Bug 2008612 - Plugin asset proxy does not pass through browser cache headers
Summary: Plugin asset proxy does not pass through browser cache headers
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.10.0
Assignee: Jakub Hadvig
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-28 17:03 UTC by Samuel Padgett
Modified: 2022-03-10 16:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Version: 4.9.0-0.nightly-2021-09-09-145014 Cluster ID: 593dd1e8-bd35-43a4-8985-b61377b675e4 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Last Closed: 2022-03-10 16:13:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 10153 0 None open Bug 2008612: Proxy browser cache headers from plugin asset request 2021-09-29 08:43:01 UTC
Github openshift console pull 10166 0 None open Bug 2008612: HTTP method should be uppercased when proxying plugin request 2021-10-01 12:37:56 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:14:14 UTC

Description Samuel Padgett 2021-09-28 17:03:37 UTC 
The plugin asset proxy in the console backend sends no request headers.

https://github.com/openshift/console/blob/7655199ccd8d83e7c39d5150602f7e90f47066ce/pkg/plugins/handlers.go#L91

We should be passing through at least some headers that are needed for browser caching and content negotiation. (This is done for our typical proxy in proxy.go.)

We should *NOT* pass through Cookie and X-CSRFToken headers, however.
Comment 3 Jakub Hadvig 2021-10-01 12:36:30 UTC 
Moving the Bug back to ASSIGNED since there was one additional fix to be made
https://github.com/openshift/console/pull/10166
Comment 7 Yadan Pei 2021-10-13 08:45:44 UTC 
1. Enable demo plugin 

$ cat oc-manifest-locales.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: console-demo-plugin
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: console-demo-plugin
  namespace: console-demo-plugin
  labels:
    app: console-demo-plugin
    app.kubernetes.io/component: console-demo-plugin
    app.kubernetes.io/instance: console-demo-plugin
    app.kubernetes.io/part-of: console-demo-plugin
    app.openshift.io/runtime-namespace: console-demo-plugin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: console-demo-plugin
  template:
    metadata:
      labels:
        app: console-demo-plugin
    spec:
      containers:
        - name: console-demo-plugin
          image: quay.io/yapei/console-demo-plugin:locales
          ports:
            - containerPort: 9001
              protocol: TCP
          imagePullPolicy: Always
          args:
            - '--ssl'
            - '--cert=/var/serving-cert/tls.crt'
            - '--key=/var/serving-cert/tls.key'
          volumeMounts:
            - name: console-serving-cert
              readOnly: true
              mountPath: /var/serving-cert
      volumes:
        - name: console-serving-cert
          secret:
            secretName: console-serving-cert
            defaultMode: 420
      restartPolicy: Always
      dnsPolicy: ClusterFirst
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.alpha.openshift.io/serving-cert-secret-name: console-serving-cert
  name: console-demo-plugin
  namespace: console-demo-plugin
  labels:
    app: console-demo-plugin
    app.kubernetes.io/component: console-demo-plugin
    app.kubernetes.io/instance: console-demo-plugin
    app.kubernetes.io/part-of: console-demo-plugin
spec:
  ports:
    - name: 9001-tcp
      protocol: TCP
      port: 9001
      targetPort: 9001
  selector:
    app: console-demo-plugin
  type: ClusterIP
  sessionAffinity: None
---
apiVersion: console.openshift.io/v1alpha1
kind: ConsolePlugin
metadata:
  name: console-demo-plugin
spec:
  displayName: 'OpenShift Console Demo Plugin'
  service:
    name: console-demo-plugin
    namespace: console-demo-plugin
    port: 9001
    basePath: '/'

$ oc apply -f oc-manifest-locales.yaml 
namespace/console-demo-plugin created
deployment.apps/console-demo-plugin created
service/console-demo-plugin created
consoleplugin.console.openshift.io/console-demo-plugin created

$ oc get all -n console-demo-plugin
NAME                                     READY   STATUS    RESTARTS   AGE
pod/console-demo-plugin-59dfbf5c-ttssn   1/1     Running   0          2m48s

NAME                          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/console-demo-plugin   ClusterIP   172.30.119.39   <none>        9001/TCP   2m47s

NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/console-demo-plugin   1/1     1            1           2m49s

NAME                                           DESIRED   CURRENT   READY   AGE
replicaset.apps/console-demo-plugin-59dfbf5c   1         1         1       2m48s

2. Visiting /locales/resource.json?lng=en&ns=plugin__console-demo-plugin and then check pods logs
$ oc logs -f console-demo-plugin-59dfbf5c-ttssn -n console-demo-plugin
Starting up http-server, serving ./static through https
Available on:
  https://127.0.0.1:9001
  https://10.129.2.16:9001
Hit CTRL-C to stop the server
[Wed Oct 13 2021 08:42:36 GMT+0000 (Coordinated Universal Time)]  "GET /locales/en/plugin__console-demo-plugin.json" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36"
[Wed Oct 13 2021 08:43:44 GMT+0000 (Coordinated Universal Time)]  "GET /locales/en/plugin__console-demo-plugin.json" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36"

we can see 'User-Agent' header is proxied to the service endpoint

Moving to VERIFIED and let me know if the steps are wrong

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-10-13-001151   True        False         3h15m   Cluster version is 4.10.0-0.nightly-2021-10-13-001151
Comment 8 Yadan Pei 2021-10-13 08:51:17 UTC 
as comparison, we only return "Go-http-client/1.1"  before the fix

$ oc logs -f console-demo-plugin-59dfbf5c-vw2gb  -n console-demo-plugin
Starting up http-server, serving ./static through https
Available on:
  https://127.0.0.1:9001
  https://10.129.2.105:9001
Hit CTRL-C to stop the server
[Wed Oct 13 2021 08:49:54 GMT+0000 (Coordinated Universal Time)]  "GET /locales/en/plugin__console-demo-plugin.json" "Go-http-client/1.1"
Comment 12 errata-xmlrpc 2022-03-10 16:13:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Note You need to log in before you can comment on or make changes to this bug.