Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1362

Support ingress annotation to create a route with spec.tls.insecureEdgeTerminationPolicy set to Allow

XMLWordPrintable

    • BU Product Work
    • True
    • Hide

      I would like to ask about that state of this features. My customer is actively asking for the status of this functionality. We are not able to provide the customer with any data for their planing. If we are not able to deliver this functionality, they will have introduce an admission controller for dealing with this.

      The Jira has been labeled 4.18_candidate, but based on NE-702 there is no work being done it seems.

      Can you please clarify on this?

      Thank you
      Roman

      Show
      I would like to ask about that state of this features. My customer is actively asking for the status of this functionality. We are not able to provide the customer with any data for their planing. If we are not able to deliver this functionality, they will have introduce an admission controller for dealing with this. The Jira has been labeled 4.18_candidate, but based on NE-702 there is no work being done it seems. Can you please clarify on this? Thank you Roman
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • 0
    • Backlog Refinement
    • Red Hat OpenShift Networking

      Feature Overview (aka. Goal Summary)  

      Support the ability to create a route with the spec.tls.insecureEdgeTerminationPolicy set to Allow.

      Goals (aka. expected user outcomes)

      The ability to specify that OpenShift create these corresponding Route resources with spec.tls.insecureEdgeTerminationPolicy set to Allow, using an Ingress annotation. For example:

      annotations:
        route.openshift.io/insecureEdgeTerminationPolicy: "Allow"

      Requirements (aka. Acceptance Criteria):

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster)  
      Hosted control planes  
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      When routes are created with TLS data from the ingress resource, the Route will always have the spec.tls.insecureEdgeTerminationPolicy set to Redirect. This breaks cert-manager cert renewals for host/domain that's already been setup, becuase cert-manager requests to port 80 get redirected to port 443.

      Customers can modify the generated route after it has been created, but customers require the ability to specify that OpenShift create these corresponding Route resources with spec.tls.insecureEdgeTerminationPolicy set to Allow, instead

      Questions to Answer (Optional):

      Out of Scope

      Background

      Customers use native Kubernetes Ingress resources to expose traffic to OpenShift services, because Ingress resources have the ability to reference a secret for its TLS certs instead of including the TLS information directly in the route. When creating an ingress, OpenShift automatically creates a corresponding Route with configuration based off of the Ingress resource created.
      These steps define this process.

      However, when the route is created with TLS data from the ingress resource, the Route will always have the spec.tls.insecureEdgeTerminationPolicy set to Redirect, which prevents requests over port 80 from succeeding.

      Documentation Considerations

      Interoperability Considerations

            mcurry@redhat.com Marc Curry
            rhn-support-andbartl Andy Bartlett
            Chris Fields
            Ashley Hardin Ashley Hardin
            Miciah Masters Miciah Masters
            Miciah Masters Miciah Masters
            Marc Curry Marc Curry
            Chris Fields Chris Fields
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: