Bug 1990826: routes without TLS are rejected for missing HSTS annotation

[candita]

Routes without TLS should just be admitted if they are missing HSTS annotation in a domain that requires HSTS annotation.
Error messages should have more information.

[openshift-ci]

@candita: This pull request references Bugzilla bug 1990826, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.0) matches configured target release for branch (4.9.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @quarterpin

In response to this:

Bug 1990826: routes without TLS are rejected for missing HSTS annotation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Miciah]

Does this log a warning on every passthrough or non-TLS route that the plugin observes? That seems a bit noisy, especially as a warning.

[candita]

It only tries to validate if there is HSTS added or changed:

openshift-apiserver/pkg/route/apiserver/admission/requiredrouteannotations/admission.go

Line 106 in f5941a5

if wants == has && newHSTS == oldHSTS {

[Miciah]

That means it logs a warning for each passthrough or non-TLS route that is created, right?

[Miciah]

The openshift-apiserver logs for the most recent e2e-aws CI job run for this PR shows these warnings:

W0810 20:18:34.581431       1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:18:52.278999       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:19:46.207319       1 admission.go:189] HSTS Policy not added for weightedroute, wrong termination type: <nil>
W0810 20:24:01.136944       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:24:38.956535       1 admission.go:189] HSTS Policy not added for route-1, wrong termination type: <nil>
W0810 20:24:39.032518       1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:25:04.799717       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:26:22.782223       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:26:38.298478       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:28:18.489976       1 admission.go:189] HSTS Policy not added for passthrough-route, wrong termination type: &{passthrough     }
W0810 20:29:26.733012       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:29:31.775479       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:29:58.628117       1 admission.go:189] HSTS Policy not added for test-vjbft, wrong termination type: <nil>
W0810 20:30:38.974223       1 admission.go:189] HSTS Policy not added for 0, wrong termination type: <nil>
W0810 20:30:39.226531       1 admission.go:189] HSTS Policy not added for 4, wrong termination type: <nil>
W0810 20:30:39.541531       1 admission.go:189] HSTS Policy not added for 11, wrong termination type: <nil>
W0810 20:30:39.595524       1 admission.go:189] HSTS Policy not added for 12, wrong termination type: <nil>
W0810 20:30:45.563139       1 admission.go:189] HSTS Policy not added for test-oauth-route, wrong termination type: &{passthrough     Redirect}
W0810 20:31:06.028072       1 admission.go:189] HSTS Policy not added for route-1, wrong termination type: <nil>
W0810 20:31:06.090396       1 admission.go:189] HSTS Policy not added for route-2, wrong termination type: <nil>
W0810 20:31:06.167867       1 admission.go:189] HSTS Policy not added for route-override-domain-1, wrong termination type: <nil>
W0810 20:31:06.189040       1 admission.go:189] HSTS Policy not added for 8, wrong termination type: <nil>
W0810 20:32:09.658686       1 admission.go:189] HSTS Policy not added for route-override-domain-1, wrong termination type: <nil>
W0810 20:33:34.032948       1 admission.go:189] HSTS Policy not added for route, wrong termination type: <nil>

That could be a lot of noise on a cluster with thousands of routes. Would it make sense to skip logging for these routes, or at least reduce it from a warning to info?

[candita]

That's strange. I wouldn't think there'd be any HSTS annotations in CI yet.

[candita]

Oh yes, it checks for any newly created route and reports these warnings. It should report those warnings only if HSTS is needed, so I'll look into that.

[candita]

Per team chat, we will just ignore silently for now, and address missing annotations on routes as route status in https://issues.redhat.com/browse/NE-678

[candita]

FAIL: API "openshift-api-available-new-connections" was unreachable during disruption (AWS has a known issue: https://bugzilla.redhat.com/show_bug.cgi?id=1943804) for at least 15s of 1h27m30s (0%):
/test e2e-aws-upgrade

[Miciah]

/lgtm

[sttts]

why not the one 20 lines higher?

[candita]

Thanks!

[openshift-ci]

@candita: This pull request references Bugzilla bug 1990826, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.0) matches configured target release for branch (4.9.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @quarterpin

In response to this:

Bug 1990826: routes without TLS are rejected for missing HSTS annotation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[candita]

STEP: ensuring all cluster operators are stable
Aug 17 00:16:54.270: FAIL: Some cluster operators are not ready: image-registry (Degraded=True ImagePrunerJobFailed: ImagePrunerDegraded: Job has reached the specified backoff limit)

/test e2e-aws

[quarterpin]

/bugzilla cc-qa

[openshift-ci]

@quarterpin: This pull request references Bugzilla bug 1990826, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.0) matches configured target release for branch (4.9.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @quarterpin

In response to this:

/bugzilla cc-qa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[quarterpin]

/lgtm
/label qe-approved

Verified via pre-merge verification workflow, more references related to the test can be found in:
https://bugzilla.redhat.com/show_bug.cgi?id=1990826#c4

[Miciah]

[sig-arch] events should not repeat pathologically
3 events happened too frequently

event happened 23 times, something is wrong: ns/cmd-env deploymentconfig/testdc - reason/DeploymentAwaitingCancellation Deployment of version 2 awaiting cancellation of older running deployments
event happened 23 times, something is wrong: ns/cmd-volumes deploymentconfig/test-deployment-config - reason/DeploymentAwaitingCancellation Deployment of version 2 awaiting cancellation of older running deployments
event happened 22 times, something is wrong: ns/cmd-basicresources deploymentconfig/test-deployment-config - reason/DeploymentAwaitingCancellation Deployment of version 2 awaiting cancellation of older running deployments

/test e2e-cmd

[Miciah]

/test e2e-cmd

[Miciah]

error: error creating buildah builder: Error reading signatures: Error downloading signatures for sha256:7e0a26a6957250636be130cc454b15e13a5ec545650fb5698ffb0b66c02c02d5 in registry.build02.ci.openshift.org/ci/managed-clonerefs: received unexpected HTTP status: 504 Gateway Time-out

/test e2e-cmd

[Miciah]

Looks like e2e-cmd keeps hitting BZ#1990041.
/test e2e-cmd

[openshift-ci]

@candita: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-cmd	a8c6e73	link	/test e2e-cmd

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[deads2k]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita, deads2k, Miciah, quarterpin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/route/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@candita: All pull requests linked via external trackers have merged:

• openshift/openshift-apiserver#240

Bugzilla bug 1990826 has been moved to the MODIFIED state.

In response to this:

Bug 1990826: routes without TLS are rejected for missing HSTS annotation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.