Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2321

Annotate the ingress to create the route with the spec.tls.insecureEdgeTerminationPolicy set to Allow

XMLWordPrintable

    • False
    • False
    • OCPPLAN-6007 - OpenShift Core Networking Improvements
    • Hide

      This RFE has 6 linked cases and active customer queries.  It has been Accepted, but I would like to indicate that this one has many interested parties. I would consider a priority bump.  

      Show
      This RFE has 6 linked cases and active customer queries.  It has been Accepted, but I would like to indicate that this one has many interested parties. I would consider a priority bump.  

      Proposed title of this feature request

      Annotate the ingress to create the route with the spec.tls.insecureEdgeTerminationPolicy set to Allow

      What is the nature and description of the request?

      If I understand case description and customer response correctly, they want an annotation in the ingress to create the route with the spec.tls.insecureEdgeTerminationPolicy set to Allow

      I believe you can already add an annotation to the Ingress resource to have OpenShift create a route with adjusted termination, like so:?

      annotations:
        route.openshift.io/termination: "reencrypt" 

      Was hoping insecureEdgeTerminationPolicy would be another

      Why does the customer need this? (List the business requirements here)

      We use native kubernetes Ingress resources to expose traffic to our OpenShift services.

      We do this as Ingress resources have the ability to reference a secret for its tls certs instead of including the tls information directly in the route.

      When we create an ingress, OpenShift automatically creates a corresponding Route, configured based off of the Ingress resource we create.
      This works great and we are following the steps defined here:

      https://docs.openshift.com/container-platform/4.7/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration

      However, when the route is created with TLS data from the ingress resource, the Route will always have the spec.tls.insecureEdgeTerminationPolicy set to Redirect, which prevents requests over port 80 from succeeding.

      Is it possible to define a label or attribute or through some other means, force openshift to create these corresponding Route resources with spec.tls.insecureEdgeTerminationPolicy set to Allow?

      This is to allow cert-manager http01 requests to succeed when certs need to be renewed for a host/domain the ingress resource is already setup for. Requests from cert-manager come over port 80 so having those redirect to 443 breaks cert renewal.

       

            mcurry@redhat.com Marc Curry
            rhn-support-andbartl Andy Bartlett
            Marc Curry
            Chris Fields
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: