-
Bug
-
Resolution: Obsolete
-
Minor
-
4.13, 4.12, 4.11, 4.10, 4.9, 4.8, 4.7, 4.6, 3.11.z, 4.14, 4.2.z, 4.3.0, 4.4, 4.5, 4.1, 4.15, 4.16
-
Low
-
None
-
2
-
Sprint 252, Sprint 253
-
2
-
Rejected
-
False
-
-
-
Bug Fix
-
Proposed
Description of problem
The Route API documentation states that the default value for the spec.tls.insecureEdgeTerminationPolicy field is "Allow". However, the observable default behavior is that of "None".
Version-Release number of selected component (if applicable)
OpenShift 3.11 and earlier and OpenShift 4.1 through 4.16.
How reproducible
100%.
Steps to Reproduce
1. Check the documentation: oc explain routes.spec.tls.insecureEdgeTerminationPolicy
2. Create an example application and edge-terminated route without specifying insecureEdgeTerminationPolicy, and try to connect to the route using HTTP:
oc adm new-project hello-openshift oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json oc -n hello-openshift expose pod hello-openshift oc -n hello-openshift create route edge --service=hello-openshift curl -k https://hello-openshift-hello-openshift.apps.<cluster domain> curl -I http://hello-openshift-hello-openshift.apps.<cluster domain>
Actual results
The documentation states that "Allow" is the default:
% oc explain routes.spec.tls.insecureEdgeTerminationPolicy KIND: Route VERSION: route.openshift.io/v1 FIELD: insecureEdgeTerminationPolicy <string> DESCRIPTION: insecureEdgeTerminationPolicy indicates the desired behavior for insecure connections to a route. While each router may make its own decisions on which ports to expose, this is normally port 80. * Allow - traffic is sent to the server on the insecure port (edge/reencrypt terminations only) (default). * None - no traffic is allowed on the insecure port. * Redirect - clients are redirected to the secure port.
However, in practice, the default seems to be "None":
% oc adm new-project hello-openshift Created project hello-openshift % oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json pod/hello-openshift created % oc -n hello-openshift expose pod hello-openshift service/hello-openshift exposed % oc -n hello-openshift create route edge --service=hello-openshift route.route.openshift.io/hello-openshift created % oc -n hello-openshift get routes/hello-openshift -o yaml apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: openshift.io/host.generated: "true" creationTimestamp: "2024-04-02T22:59:32Z" labels: name: hello-openshift name: hello-openshift namespace: hello-openshift resourceVersion: "27147" uid: 50029f66-a089-4ec0-be04-91f176883e2b spec: host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org tls: termination: edge to: kind: Service name: hello-openshift weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: "2024-04-02T22:59:32Z" status: "True" type: Admitted host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org routerCanonicalHostname: router-default.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org routerName: default wildcardPolicy: None - conditions: - lastTransitionTime: "2024-04-02T22:59:32Z" status: "True" type: Admitted host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org routerCanonicalHostname: router-custom.custom.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org routerName: custom wildcardPolicy: None % curl -k https://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org Hello OpenShift! % curl -I http://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org HTTP/1.0 503 Service Unavailable pragma: no-cache cache-control: private, max-age=0, no-cache, no-store content-type: text/html
Expected results
Given the API documentation, I would maybe expect to see insecureEdgeTerminationPolicy: Allow in the route definition, and I would definitely expect the curl http:// command to succeed.
Alternatively, I would expect the API documentation to state that the default for insecureEdgeTerminationPolicy is "None", based on the observed behavior.
Additional info
The current "(default)" text was added in https://github.com/openshift/origin/pull/10983/commits/dc1aecd4bcdae7525536180bab2a0a0083aaa0f4.
- links to
-
RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update