Details
-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.11.z
-
Important
-
No
-
3
-
Sprint 244, Sprint 245, Sprint 246
-
3
-
Rejected
-
False
-
Description
Description of problem:
- Customer has a use case of applying `cookie-same-site=Lax` for all the routes in some specific projects:
- Using the command $ oc annotate route <route_name> router.openshift.io/cookie-same-site="Lax" when trying to add the annotation to all the routes and as a result, it did show the route was annotated but in reality it was getting applied. This we verified using route YAML, $ oc get route <route-name> -oyaml and here there was no annotation applied on the route.
- We even tried adding this annotation to other routes in other projects and the result was the same. It was showing the route was annotated but in reality it was getting applied and you confirmed this from the developers end as well.
$ oc get route -n <project> NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD cob-assistedonboarding-web-xxxxx netbanking-<namespace>.apps.dev.ocp.ib /AssistedOnboarding cob-assistedonboarding-web http edge/Redirect None $ oc annotate route --all -n <project> router.openshift.io/cookie-same-site="Lax" route.route.openshift.io/cob-assistedonboarding-web-xxxxx annotated // Checking Route YAML after applying the annotation, the annotation was not applied, although the annotation was successfully applied: apiVersion: v1 items: - apiVersion: route.openshift.io/v1 kind: Route metadata: creationTimestamp: "2023-10-03T19:40:26Z" labels: app.kubernetes.io/instance: sit-cob-assistedonboarding-web app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cob-assistedonboarding-web app.kubernetes.io/version: 1.0.0 helm.sh/chart: cob-assistedonboarding-web-0.2.0 name: cob-assistedonboarding-web-nz87g
- We even tried adding this annotation to other routes in other projects; the result was the same. It was showing the route was annotated but in reality, it was getting applied and they also confirmed this from the developer's end as well that they are unable to see the samesite cookie getting applied in the audit.
- Lastly, we even tried to edit the route YAML using, $ oc edit route <route-name> and manually added the annotation under the metadata section and after saving the file, it showed routed edited successfully but again when we checked the route YAML, the annotation was missing.
- I have tested the same set of commands in my test v4.13 cluster in parallel while we were on the call and I was able to see the annotation getting appended as shows in the results below:
//Create a sample project $ oc project test Now using project "test" on server "https://api.shrocp4upi413ovn.lab.upshift.rdu2.redhat.com:6443". // Deploy a sample web application(httpd) $ oc new-app --name=httpd --docker-image=registry.access.redhat.com/rhscl/httpd-24-rhel7 Flag --docker-image has been deprecated, Deprecated flag use --image warning: Cannot find git. Ensure that it is installed and in your path. Git is required to work with git repositories. --> Found container image 0629e8d (11 days old) from registry.access.redhat.com for "registry.access.redhat.com/rhscl/httpd-24-rhel7" Apache httpd 2.4 ---------------- Apache httpd 2.4 available as container, is a powerful, efficient, and extensible web server. Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Virtual hosting allows one Apache installation to serve many different Web sites. Tags: builder, httpd, httpd24 * An image stream tag will be created as "httpd:latest" that will track this image --> Creating resources ... imagestream.image.openshift.io "httpd" created deployment.apps "httpd" created service "httpd" created --> Success Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose service/httpd' Run 'oc status' to view your app. $ oc get pods NAME READY STATUS RESTARTS AGE httpd-56894bdc5b-6jq8s 1/1 Running 0 27s $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE httpd ClusterIP 172.30.166.130 <none> 8080/TCP,8443/TCP 34s // Create route $ oc expose svc httpd route.route.openshift.io/httpd exposed $ oc get route NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD httpd httpd-test.apps.shrocp4upi413ovn.lab.upshift.rdu2.redhat.com httpd 8080-tcp None // Check the annotations present on the route $ oc get route httpd -oyaml apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: "2023-10-17T07:55:38Z" labels: $ oc annotate route httpd router.openshift.io/cookie-same-site="Lax" // Check if the annotation is applied successfully $ oc get route httpd -oyaml apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" router.openshift.io/cookie-same-site: Lax -----------------------> annotation present creationTimestamp: "2023-10-17T07:55:38Z" labels:
Version-Release number of selected component (if applicable)
4.11.13
How reproducible:
Reproducible in customers environment
Steps to Reproduce:
1. 2. 3.
Actual results:
The route annotation is not applied, although it shows that the route was annotated successfully.
Expected results:
The annotation should get applied successfully and the route should have the applied annotation.
Additional info:
