Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.20
Affects Version/s: 4.14, 4.15, 4.16
Component/s: Networking / router
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
5
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.20.0
Release Blocker:
Rejected
Sprint:
NE Sprint 265, NI&D Sprint 266, NI&D Sprint 267, NI&D Sprint 270, NI&D Sprint 271, NI&D Sprint 272, NI&D Sprint 273, NI&D Sprint 275, NI&D Sprint 276
sprint_count:
9

Customer Impact:

Customer Escalated

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Test Coverage:

+

PX Review Complete:
PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Bug Fix
Release Note Text:

Hide
Cause: The Route API validation allowed a route to specify a path that contained a ' ' space character or '#' octothorpe character, and OpenShift router did not filter these characters out when writing the HAProxy configuration.

Consequence: Users were able to create routes with invalid paths that caused HAProxy to refuse to start.

Fix: The Route API validation now prohibits space and octothorpe characters in path values.

Result: Users can no longer create a route with either of these characters in the path.

Show
Cause: The Route API validation allowed a route to specify a path that contained a ' ' space character or '#' octothorpe character, and OpenShift router did not filter these characters out when writing the HAProxy configuration. Consequence: Users were able to create routes with invalid paths that caused HAProxy to refuse to start. Fix: The Route API validation now prohibits space and octothorpe characters in path values. Result: Users can no longer create a route with either of these characters in the path.

Escape Reason:
Escape Impact:
Corrective Measures:
SDLC stage when should've been found:

Description of problem:

A route with the following spec.path with a space (/route-admission-test1 / test1) or # (/route-admission-test!#) and  (annotations:     haproxy.router.openshift.io/rewrite-target: /)
can broke haproxy and cause ingress degraded.

~~~
kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: hello-openshift
  namespace: route-admission-test1
  annotations:
    haproxy.router.openshift.io/rewrite-target: /
spec:
  host: example-route-admission-test1.apps.xxxxx.japaneast.aroapp.io
  path: /route-admission-test1 / test1
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Allow
  wildcardPolicy: None
~~~

Version-Release number of selected component (if applicable):

4.14 (other version could also have same issue)

How reproducible:

Create a route with the haproxy.router.openshift.io/rewrite-target annotation and which spec.path have space like
 /route-admission-test1 / test1 
or with #
 /route-admission#

Steps to Reproduce:

1.oc new-project route-admission-test1     

2. oc create -f https://raw.githubusercontent.com/openshift/origin/master/examples/hello-openshift/hello-pod.json     

3.oc expose pod/hello-openshift

4. Create route like below 

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: hello-openshift
  namespace: route-admission-test1
  annotations:
    haproxy.router.openshift.io/rewrite-target: /
spec:
  host: example-route-admission-test1.apps.xxxxx.japaneast.aroapp.io
  path: /route-admission-test1 / test1
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Allow
  wildcardPolicy: None



5. delete ingress pods and then check ingress status



$ oc get pods -n openshift-ingress
NAME                              READY   STATUS    RESTARTS       AGE
router-default-5fbb99fbf6-d4mvf   0/1     Running   2 (109s ago)   7m21s
router-default-5fbb99fbf6-mfd2f   1/1     Running   0              19m

6. check logs

$ oc logs pods/router-default-5fbb99fbf6-d4mvf -n openshift-ingress
I0106 04:01:13.664076       1 template.go:559] router "msg"="starting router" "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: b3af193f191b8d20c0b7bac328cb2c397d5c2c27\nversionFromGit: 4.0.0-462-gb3af193f\ngitTreeState: clean\nbuildDate: 2024-03-06T00:47:12Z\n"
I0106 04:01:13.667376       1 metrics.go:156] metrics "msg"="router health and metrics port listening on HTTP and HTTPS" "address"="0.0.0.0:1936"
I0106 04:01:13.671519       1 router.go:210] template "msg"="creating a new template router" "writeDir"="/var/lib/haproxy"
I0106 04:01:13.671608       1 router.go:294] template "msg"="router will coalesce reloads within an interval of each other" "interval"="5s"
I0106 04:01:13.672088       1 router.go:364] template "msg"="watching for changes" "path"="/etc/pki/tls/private"
I0106 04:01:13.672164       1 router.go:269] router "msg"="router is including routes in all namespaces" 
E0106 04:01:13.781453       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
E0106 04:01:13.798536       1 limiter.go:165] error reloading router: exit status 1
[NOTICE]   (18) : haproxy version is 2.6.13-234aa6d
[NOTICE]   (18) : path to executable is /usr/sbin/haproxy
[ALERT]    (18) : config : parsing [/var/lib/haproxy/conf/haproxy.config:381] : error detected in backend 'be_edge_http:route-admission-test1:hello-openshift' while parsing 'http-request replace-path' rule : expects exactly 2 arguments <match-regex> and <replace-format>.
[ALERT]    (18) : config : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config

.........
[-]backend-http failed: backend reported failure
I0106 04:03:14.376923       1 healthz.go:261] backend-http check failed: healthz
[-]backend-http failed: backend reported failure
I0106 04:03:14.392670       1 template.go:828] router "msg"="Shutdown requested, waiting 45s for new connections to cease" 
E0106 04:03:24.418696       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
jayu@jayu-thinkpadp15vgen1:~/Desktop/Jan3-2025$ [-]backend-http failed: backend reported failure
I0106 04:03:14.392670       1 template.go:828] router "msg"="Shutdown requested, waiting 45s for new connections to cease" 
E0106 04:03:24.418696       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory



7 check ingress operator

$ oc get co
NAME                                       VERSION               AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
aro                                        v20241111.00-hotfix   True       ..........
ingress                                    4.14.16               True        True          False      28m     ingresscontroller "default" is progressing: IngressControllerProgressing: One or more status conditions indicate progressing: DeploymentRollingOut=True (DeploymentRollingOut: Waiting for router deployment rollout to finish: 1 of 2 updated replica(s) are available......
insights

Actual results:

ingress degraded when there are space or # in spec.path of route yaml

Expected results:

when create route there should be some check prevent customer to setup space or # like (path: /route-admission-test1 / test1) when create Route

Additional info:

1) There is a similar bug like 
https://issues.redhat.com/browse/OCPBUGS-27741 
also shows same issue but the engineer suggested to create new bug for space issue , that is why I create this new bug.


2) for the reproduce test case , when change the route's spec.path from (/route-admission-test1 / test1) to (/route-admission-test1/test1) will solve the issue , but we should have that check to prevent that happens.

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: hello-openshift
  namespace: route-admission-test1
  annotations:
    haproxy.router.openshift.io/rewrite-target: /
spec:
  host: example-route-admission-test1.apps.xxxxx.japaneast.aroapp.io
  path: /route-admission-test1/test1
  to:
    kind: Service
    name: hello-openshift
    weight: 100
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Allow
  wildcardPolicy: None

blocks

OCPBUGS-61662 [4.19.z] Route spec.path that have space or # causes HaProxy error and ingress degraded

Closed

is cloned by

OCPBUGS-74234 [release-4.18] Route spec.path that have space or # causes HaProxy error and ingress degraded

POST

OCPBUGS-61662 [4.19.z] Route spec.path that have space or # causes HaProxy error and ingress degraded

Closed

is triggering

NE-2200 Corrective Measure for OCPBUGS-47773: Route spec.path that have space or # causes HaProxy error and ingress degraded

Closed

links to

openshift/library-go#1958: OCPBUGS-47773: Add API validation to reject # or whitespace in spec.path

openshift/openshift-apiserver#535: OCPBUGS-47773: Bump library-go to fix route validation

(1 links to)

Assignee:: Ali Syed

Reporter:: Jacob Yu

Need Info From:: None

Contributors:: Ricardo Pchevuzinske Katz

QA Contact:: Shudi Li

Doc Contact:: None

Votes:: 3 Vote for this issue

Watchers:: 20 Start watching this issue

Created:: 2025/01/06 4:09 AM

Updated:: 2026/01/22 11:01 AM

Resolved:: 2025/10/21 4:16 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates