Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31666

Route API documentation erroneously states that insecureEdgeTerminationPolicy defaults to "Allow"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Minor Minor
    • 4.16.0
    • 4.13, 4.12, 4.11, 4.10, 4.9, 4.8, 4.7, 4.6, 3.11.z, 4.14, 4.2.z, 4.3.0, 4.4, 4.5, 4.1, 4.15, 4.16
    • Networking / router
    • Low
    • None
    • 2
    • Sprint 252, Sprint 253
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The Route API documentation stated that the default value for the `spec.tls.insecureEdgeTerminationPolicy` field was "Allow". However, the default is actually "None".

      Consequence: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` had misleading information.

      Fix: The documentation for the `spec.tls.insecureEdgeTerminationPolicy` field was changed to say that "None", not "Allow", is the default value.

      Result: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` has accurate information.
      Show
      Cause: The Route API documentation stated that the default value for the `spec.tls.insecureEdgeTerminationPolicy` field was "Allow". However, the default is actually "None". Consequence: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` had misleading information. Fix: The documentation for the `spec.tls.insecureEdgeTerminationPolicy` field was changed to say that "None", not "Allow", is the default value. Result: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` has accurate information.
    • Bug Fix
    • Proposed

      Description of problem

      The Route API documentation states that the default value for the spec.tls.insecureEdgeTerminationPolicy field is "Allow". However, the observable default behavior is that of "None".

      Version-Release number of selected component (if applicable)

      OpenShift 3.11 and earlier and OpenShift 4.1 through 4.16.

      How reproducible

      100%.

      Steps to Reproduce

      1. Check the documentation: oc explain routes.spec.tls.insecureEdgeTerminationPolicy
      2. Create an example application and edge-terminated route without specifying insecureEdgeTerminationPolicy, and try to connect to the route using HTTP:

      oc adm new-project hello-openshift
oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
oc -n hello-openshift expose pod hello-openshift
oc -n hello-openshift create route edge --service=hello-openshift
curl -k https://hello-openshift-hello-openshift.apps.<cluster domain>
curl -I http://hello-openshift-hello-openshift.apps.<cluster domain>

      Actual results

      The documentation states that "Allow" is the default:

      % oc explain routes.spec.tls.insecureEdgeTerminationPolicy                        
KIND:     Route
VERSION:  route.openshift.io/v1

FIELD:    insecureEdgeTerminationPolicy <string>

DESCRIPTION:
     insecureEdgeTerminationPolicy indicates the desired behavior for insecure
     connections to a route. While each router may make its own decisions on
     which ports to expose, this is normally port 80.

     * Allow - traffic is sent to the server on the insecure port
     (edge/reencrypt terminations only) (default). * None - no traffic is
     allowed on the insecure port. * Redirect - clients are redirected to the
     secure port.

      However, in practice, the default seems to be "None":

      % oc adm new-project hello-openshift
Created project hello-openshift
% oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
pod/hello-openshift created
% oc -n hello-openshift expose pod hello-openshift
service/hello-openshift exposed
% oc -n hello-openshift create route edge --service=hello-openshift
route.route.openshift.io/hello-openshift created
% oc -n hello-openshift get routes/hello-openshift -o yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    openshift.io/host.generated: "true"
  creationTimestamp: "2024-04-02T22:59:32Z"
  labels:
    name: hello-openshift
  name: hello-openshift
  namespace: hello-openshift
  resourceVersion: "27147"
  uid: 50029f66-a089-4ec0-be04-91f176883e2b
spec:
  host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
  tls:
    termination: edge
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2024-04-02T22:59:32Z"
      status: "True"
      type: Admitted
    host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerCanonicalHostname: router-default.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerName: default
    wildcardPolicy: None
  - conditions:
    - lastTransitionTime: "2024-04-02T22:59:32Z"
      status: "True"
      type: Admitted
    host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerCanonicalHostname: router-custom.custom.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
    routerName: custom
    wildcardPolicy: None
% curl -k https://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
Hello OpenShift!
% curl -I http://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org 
HTTP/1.0 503 Service Unavailable
pragma: no-cache
cache-control: private, max-age=0, no-cache, no-store
content-type: text/html

      Expected results

      Given the API documentation, I would maybe expect to see insecureEdgeTerminationPolicy: Allow in the route definition, and I would definitely expect the curl http:// command to succeed.

      Alternatively, I would expect the API documentation to state that the default for insecureEdgeTerminationPolicy is "None", based on the observed behavior.

      Additional info

      The current "(default)" text was added in https://github.com/openshift/origin/pull/10983/commits/dc1aecd4bcdae7525536180bab2a0a0083aaa0f4.

              mmasters1@redhat.com Miciah Masters
              mmasters1@redhat.com Miciah Masters
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: