Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-77892

OCP4.19 HAProxy rejects payloads that are too large with 413 but not available in access log breakdown default configuration

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • None
    • None
    • None
    • Rejected
    • NI&D Sprint 285
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          Describe your problem. Include specific actions and error messages.
HAProxy 2.6+ strictly does not allow HTTP methods GET, HEAD and DELETE with payload. See code here: https://github.com/haproxy/haproxy/blob/master/src/mux_h1.c#L2024

I can verify this on OpenShift with CURL:

printf '{"test":"x"}\n' > /tmp/payload.jsoncurl -vk --http1.0 \
  -X GET \
  -H 'Content-Type: application/json' \
  --data-binary @/tmp/payload.json \
  https://<route-redact>/fail
and ingress response:

> GET /blub/fail HTTP/1.0
> Host: <route-redact>
 > User-Agent: curl/8.11.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 13
> 
* upload completely sent off: 13 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 413 Payload Too Large
< Content-length: 106
< Cache-Control: no-cache
< Content-Type: text/html
< 
<html><body><h1>413 Payload Too Large</h1>
The request entity exceeds the maximum allowed.
</body></html>
My concern is that I am not seeing these HTTP 413 responses in ingress access logs.

IngressController:apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  labels:
    app.kubernetes.io/instance: ingress-operator-oso
  name: default
  namespace: openshift-ingress-operator
spec:
  clientTLS:
    clientCA:
      name: ""
    clientCertificatePolicy: ""
  defaultCertificate:
    name: apps.<redact>
  httpEmptyRequestsPolicy: Respond
  httpErrorCodePages:
    name: ""
  idleConnectionTerminationPolicy: Deferred
  logging:
    access:
      destination:
        syslog:
          address: <redact>
          facility: local1
          maxLength: 1024
          port: 514
        type: Syslog
      logEmptyRequests: Log
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/infra: ""
    tolerations:
    - effect: NoSchedule
      key: infra
      value: reserved
    - effect: NoExecute
      key: infra
      value: reserved
  routeSelector:
    matchExpressions:
    - key: type
      operator: NotIn
      values:
      - sharded-s1
  tuningOptions:
    reloadInterval: 0s
  unsupportedConfigOverrides: null

Why do I not see it in access logs?

      Version-Release number of selected component (if applicable):

      4.19

      How reproducible:

          every time, can replicate internally (details in subsequent updates)

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

          413 not logged

      Expected results:

      413 logged

      Additional info:

      see case for more data/analytics:     04380751

              jomorais Joao Morais
              rhn-support-wrussell Will Russell
              Shudi Li Shudi Li
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: