Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31666

Route API documentation erroneously states that insecureEdgeTerminationPolicy defaults to "Allow"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Minor Minor
    • 4.16.0
    • 4.13, 4.12, 4.11, 4.10, 4.9, 4.8, 4.7, 4.6, 3.11.z, 4.14, 4.2.z, 4.3.0, 4.4, 4.5, 4.1, 4.15, 4.16
    • Networking / router
    • Low
    • None
    • 2
    • Sprint 252, Sprint 253
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: The Route API documentation stated that the default value for the `spec.tls.insecureEdgeTerminationPolicy` field was "Allow". However, the default is actually "None".

      Consequence: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` had misleading information.

      Fix: The documentation for the `spec.tls.insecureEdgeTerminationPolicy` field was changed to say that "None", not "Allow", is the default value.

      Result: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` has accurate information.
      Show
      Cause: The Route API documentation stated that the default value for the `spec.tls.insecureEdgeTerminationPolicy` field was "Allow". However, the default is actually "None". Consequence: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` had misleading information. Fix: The documentation for the `spec.tls.insecureEdgeTerminationPolicy` field was changed to say that "None", not "Allow", is the default value. Result: The output of `oc explain routes.spec.tls.insecureEdgeTerminationPolicy` has accurate information.
    • Bug Fix
    • Proposed

      Description of problem

      The Route API documentation states that the default value for the spec.tls.insecureEdgeTerminationPolicy field is "Allow". However, the observable default behavior is that of "None".

      Version-Release number of selected component (if applicable)

      OpenShift 3.11 and earlier and OpenShift 4.1 through 4.16.

      How reproducible

      100%.

      Steps to Reproduce

      1. Check the documentation: oc explain routes.spec.tls.insecureEdgeTerminationPolicy
      2. Create an example application and edge-terminated route without specifying insecureEdgeTerminationPolicy, and try to connect to the route using HTTP:

      oc adm new-project hello-openshift
      oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
      oc -n hello-openshift expose pod hello-openshift
      oc -n hello-openshift create route edge --service=hello-openshift
      curl -k https://hello-openshift-hello-openshift.apps.<cluster domain>
      curl -I http://hello-openshift-hello-openshift.apps.<cluster domain>
      

      Actual results

      The documentation states that "Allow" is the default:

      % oc explain routes.spec.tls.insecureEdgeTerminationPolicy                        
      KIND:     Route
      VERSION:  route.openshift.io/v1
      
      FIELD:    insecureEdgeTerminationPolicy <string>
      
      DESCRIPTION:
           insecureEdgeTerminationPolicy indicates the desired behavior for insecure
           connections to a route. While each router may make its own decisions on
           which ports to expose, this is normally port 80.
      
           * Allow - traffic is sent to the server on the insecure port
           (edge/reencrypt terminations only) (default). * None - no traffic is
           allowed on the insecure port. * Redirect - clients are redirected to the
           secure port.
      

      However, in practice, the default seems to be "None":

      % oc adm new-project hello-openshift
      Created project hello-openshift
      % oc -n hello-openshift create -f https://raw.githubusercontent.com/openshift/origin/56867df5e362aab0d2d8fa8c225e6761c7469781/examples/hello-openshift/hello-pod.json
      pod/hello-openshift created
      % oc -n hello-openshift expose pod hello-openshift
      service/hello-openshift exposed
      % oc -n hello-openshift create route edge --service=hello-openshift
      route.route.openshift.io/hello-openshift created
      % oc -n hello-openshift get routes/hello-openshift -o yaml
      apiVersion: route.openshift.io/v1
      kind: Route
      metadata:
        annotations:
          openshift.io/host.generated: "true"
        creationTimestamp: "2024-04-02T22:59:32Z"
        labels:
          name: hello-openshift
        name: hello-openshift
        namespace: hello-openshift
        resourceVersion: "27147"
        uid: 50029f66-a089-4ec0-be04-91f176883e2b
      spec:
        host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
        tls:
          termination: edge
        to:
          kind: Service
          name: hello-openshift
          weight: 100
        wildcardPolicy: None
      status:
        ingress:
        - conditions:
          - lastTransitionTime: "2024-04-02T22:59:32Z"
            status: "True"
            type: Admitted
          host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
          routerCanonicalHostname: router-default.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
          routerName: default
          wildcardPolicy: None
        - conditions:
          - lastTransitionTime: "2024-04-02T22:59:32Z"
            status: "True"
            type: Admitted
          host: hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
          routerCanonicalHostname: router-custom.custom.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
          routerName: custom
          wildcardPolicy: None
      % curl -k https://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org
      Hello OpenShift!
      % curl -I http://hello-openshift-hello-openshift.apps.8fbd3fa1605eb7f8632a.hypershift.aws-2.ci.openshift.org 
      HTTP/1.0 503 Service Unavailable
      pragma: no-cache
      cache-control: private, max-age=0, no-cache, no-store
      content-type: text/html
      

      Expected results

      Given the API documentation, I would maybe expect to see insecureEdgeTerminationPolicy: Allow in the route definition, and I would definitely expect the curl http:// command to succeed.

      Alternatively, I would expect the API documentation to state that the default for insecureEdgeTerminationPolicy is "None", based on the observed behavior.

      Additional info

      The current "(default)" text was added in https://github.com/openshift/origin/pull/10983/commits/dc1aecd4bcdae7525536180bab2a0a0083aaa0f4.

            mmasters1@redhat.com Miciah Masters
            mmasters1@redhat.com Miciah Masters
            Shudi Li Shudi Li
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: