Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31666

Route API documentation erroneously states that insecureEdgeTerminationPolicy defaults to "Allow"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • 4.16.0
    • 4.13, 4.12, 4.11, 4.10, 4.9, 4.8, 4.7, 4.6, 3.11.z, 4.14, 4.2.z, 4.3.0, 4.4, 4.5, 4.1, 4.15, 4.16
    • Networking / router
    • Low
    • Sprint 252, Sprint 253
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem

      The Route API documentation states that the default value for the spec.tls.insecureEdgeTerminationPolicy field is "Allow". However, the observable default behavior is that of "None".

      Version-Release number of selected component (if applicable)

      OpenShift 3.11 and earlier and OpenShift 4.1 through 4.16.

      How reproducible

      100%.

      Steps to Reproduce

      1. Check the documentation: oc explain routes.spec.tls.insecureEdgeTerminationPolicy
      2. Create an example application and edge-terminated route without specifying insecureEdgeTerminationPolicy, and try to connect to the route using HTTP:

      oc adm new-project hello-openshift
oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
oc -n hello-openshift expose pod hello-openshift
oc -n hello-openshift create route edge --service=hello-openshift
curl -k https://hello-openshift-hello-openshift.apps.<cluster domain>
curl -I http://hello-openshift-hello-openshift.apps.<cluster domain>

      Actual results

      The documentation states that "Allow" is the default:

      % oc explain routes.spec.tls.insecureEdgeTerminationPolicy                        
KIND:     Route
VERSION:  route.openshift.io/v1

FIELD:    insecureEdgeTerminationPolicy <string>

DESCRIPTION:
     insecureEdgeTerminationPolicy indicates the desired behavior for insecure
     connections to a route. While each router may make its own decisions on
     which ports to expose, this is normally port 80.

     * Allow - traffic is sent to the server on the insecure port
     (edge/reencrypt terminations only) (default). * None - no traffic is
     allowed on the insecure port. * Redirect - clients are redirected to the
     secure port.

      However, in practice, the default seems to be "None":

      % oc adm new-project hello-openshift
Created project hello-openshift
% oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
pod/hello-openshift created
% oc -n hello-openshift expose pod hello-openshift
service/hello-openshift exposed
% oc -n hello-openshift create route edge --service=hello-openshift
route.route.openshift.io/hello-openshift created
% oc -n hello-openshift get routes/hello-openshift -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  creationTimestamp: "2024-04-02T22:59:32Z"
  labels:
    name: hello-openshift
  name: hello-openshift
  namespace: hello-openshift
  resourceVersion: "27147"
  uid: 50029f66-a089-4ec0-be04-91f176883e2b
spec:
  host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
  tls:
    termination: edge
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2024-04-02T22:59:32Z"
      status: "True"
      type: Admitted
    host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerCanonicalHostname: router-default.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerName: default
    wildcardPolicy: None
  - conditions:
    - lastTransitionTime: "2024-04-02T22:59:32Z"
      status: "True"
      type: Admitted
    host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerCanonicalHostname: router-custom.custom.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerName: custom
    wildcardPolicy: None
% curl -k https://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
Hello OpenShift!
% curl -I http://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org 
HTTP/1.0 503 Service Unavailable
pragma: no-cache
cache-control: private, max-age=0, no-cache, no-store
content-type: text/html

      Expected results

      Given the API documentation, I would maybe expect to see insecureEdgeTerminationPolicy: Allow in the route definition, and I would definitely expect the curl http:// command to succeed.

      Alternatively, I would expect the API documentation to state that the default for insecureEdgeTerminationPolicy is "None", based on the observed behavior.

      Additional info

      The current "(default)" text was added in https://github.com/openshift/origin/pull/10983/commits/dc1aecd4bcdae7525536180bab2a0a0083aaa0f4.

            mmasters1@redhat.com Miciah Masters
            mmasters1@redhat.com Miciah Masters
            Shudi Li Shudi Li
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: