#OCPBUGS-18387 | issue | 3 weeks ago | [CORS-2550] Installer should have pre-check for vm type, DES encryption type when install with Confidential VM ASSIGNED |
Issue 15452967: [CORS-2550] Installer should have pre-check for vm type, DES encryption type when install with Confidential VM Description: Description of problem: {code:none} Install IPI cluster with confidential VM, installer should have pre-check for vm type, disk encryption type etc to avoid installation failed during infrastructure creation 1. vm type Different security type support on different vm type for example, set platfrom.azure.defaultMachinePlatform.type to Standard_DC8ads_v5 and platform.azure.defaultMachinePlatform.settings.securityType to TrustedLaunch, installation will be failed as Standard_DC8ads_v5 only support security type ConfidentialVM ERROR Error: creating Linux Virtual Machine: (Name "jimaconf1-89qmp-bootstrap" / Resource Group "jimaconf1-89qmp-rg"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The VM size 'Standard_DC16ads_v5' is not supported for creation of VMs and Virtual Machine Scale Set with 'TrustedLaunch' security type." 2. Disk encryption Set When install cluster with ConfidentialVM +securityEncryptionType:DiskWithVMGuestState, then using customer-managed key, it requires that DES encryption type is ConfidentialVmEncryptedWithCustomerKey, else installer throw error as below: 08-31 10:12:54.443 level=error msg=Error: creating Linux Virtual Machine: (Name "jima30confa-vtrm2-bootstrap" / Resource Group "jima30confa-vtrm2-rg"): compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="The type of the Disk Encryption Set in the request is 'ConfidentialVmEncryptedWithCustomerKey', but this Disk Encryption Set was created with type 'EncryptionAtRestWithCustomerKey'." Target="/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/jima30confa-vtrm2-rg/providers/Microsoft.Compute/disks/jima30confa-vtrm2-bootstrap_OSDisk" Installer should check vm type and DES's encryption type to make sure that expected DES is set.{code} Version-Release number of selected component (if applicable): {code:none} 4.14 nightly build{code} How reproducible: {code:none} Always{code} Steps to Reproduce: {code:none} 1. Prepare install-config, 1) enable confidentialVM but use vm type which does not support Confidential VM 2) enable TrustedLaunch but use vm type which support confidentialVM 3) enable confidentialVM + securityEncryptionType: DiskWithVMGuestState, use customer-managed key to encrypt managed key, but customer-managed key's encryption type is the default one "EncryptionAtRestWithPlatformKey" 2. Create cluster 3. {code} Actual results: {code:none} Installation failed when creating infrastructure{code} Expected results: {code:none} Installer should have pre-check for those scenarios, and exit with expected error message.{code} Additional info: {code:none} {code} Status: ASSIGNED INFO Credentials loaded from file "/home/fedora/.azure/osServicePrincipal.json" FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to generate asset "Platform Provisioning Check": platform.azure.defaultMachinePlatform.osDisk.securityProfile.diskEncryptionSet: Invalid value: azure.DiskEncryptionSet{SubscriptionID:"53b8f551-f0fc-4bea-8cba-6d1fefd54c8a", ResourceGroup:"ci-op-rxgtqhc5-6d0a6-rg", Name:"ci-op-rxgtqhc5-6d0a6-des"}: the disk encryption set should be created with type ConfidentialVmEncryptedWithCustomerKey {code} Then create DES with encryption type ConfidentialVmEncryptedWithCustomerKey, and enable ConfidentialVM + DiskWithVMGuestState + CMK in install-config.yaml, pre-check is passed, installer continue creating resources. | |||
#OCPBUGS-31516 | issue | 5 days ago | SNO installation failing on Fedora 39: CanaryChecksSucceeding=False New |
Issue 15908399: SNO installation failing on Fedora 39: CanaryChecksSucceeding=False Description: Description of problem: {code:none} Installation of OpenShift SNO (different version from 4.12 and newer fail on my recently installed Fedora 39 host. The following cluster operators are degraded: authentication, console ingress{code} Version-Release number of selected component (if applicable): {code:none} {code} How reproducible: {code:none} always{code} Steps to Reproduce: {code:none} 1.Create cluster at https://console.redhat.com/openshift/assisted-installer/clusters/~new 2. download "full ISO image (with LVM)" 3. start installation{code} {code:none} {code} Actual results: {code:none} $ oc get co | awk 'NF > 6 {print $0}' NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.15.3 False False True 7m27s OAuthServerRouteEndpointAccessibleControllerAvailable: Get "https://oauth-openshift.apps.ocpa.ocp.internal/healthz": context deadline exceeded (Client.Timeout exceeded while awaiting headers) console 4.15.3 False True True 97m RouteHealthAvailable: failed to GET route (https://console-openshift-console.apps.ocpa.ocp.internal): Get "https://console-openshift-console.apps.ocpa.ocp.internal": context deadline exceeded (Client.Timeout exceeded while awaiting headers) ingress 4.15.3 True False True 3h48m The "default" ingress controller reports Degraded=True: DegradedConditions: One or more other status conditions indicate a degraded state: CanaryChecksSucceeding=False (CanaryChecksRepetitiveFailures: Canary route checks for the default ingress controller are failing) {code} Expected results: {code:none} working cluster{code} Additional info: {code:none} https://access.redhat.com/solutions/5891131 did not resolve the issue The following is the output of the commands in https://access.redhat.com/solutions/5891131 $ SVC_IP=$(oc get svc -n openshift-ingress-canary -ojsonpath={..clusterIP}) $ for i in `oc get po -n openshift-ingress-operator | grep -v NAME| awk '{print $1}' ` ; do oc exec -n openshift-ingress-operator -c ingress-operator $i – curl http://${SVC_IP}:8080 -s -D - ; done HTTP/1.1 200 OK X-Request-Port: 8080 Date: Thu, 28 Mar 2024 20:25:43 GMT Content-Length: 22 Content-Type: text/plain; charset=utf-8 Healthcheck requested $ ROUTE=$(oc get route -n openshift-ingress-canary -ojsonpath={..host}) $ for i in `oc get po -n openshift-ingress-operator | grep -v NAME| awk '{print $1}' ` ; do oc exec -n openshift-ingress-operator -c ingress-operator $i – curl http://${ROUTE} -sS -k -D - ; done HTTP/1.1 302 Found content-length: 0 location: https://canary-openshift-ingress-canary.apps.ocpa.ocp.internal/ cache-control: no-cache $ ROUTE=$(oc get route -n openshift-ingress-canary -ojsonpath={..host}) $ for i in `oc get po -n openshift-ingress-operator | grep -v NAME| awk '{print $1}' ` ; do oc exec -n openshift-ingress-operator -c ingress-operator $i – dig ${ROUTE} +nocmd +noall +answer ; done canary-openshift-ingress-canary.apps.ocpa.ocp.internal. 5 IN A 192.168.122.150 $ oc get pods -o wide -n openshift-ingress NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES router-default-5b4bf785f9-ln9gr 1/1 Running 0 25m 192.168.122.150 ocpa <none> <none> $ curl -kv --resolve ${ROUTE}:80:192.168.122.150 http://$ {ROUTE} * processing: http://canary-openshift-ingress-canary.apps.ocpa.ocp.internal * Added canary-openshift-ingress-canary.apps.ocpa.ocp.internal:80:192.168.122.150 to DNS cache * Hostname canary-openshift-ingress-canary.apps.ocpa.ocp.internal was found in DNS cache * Trying 192.168.122.150:80... * Connected to canary-openshift-ingress-canary.apps.ocpa.ocp.internal (192.168.122.150) port 80 > GET / HTTP/1.1 > Host: canary-openshift-ingress-canary.apps.ocpa.ocp.internal > User-Agent: curl/8.2.1 > Accept: / > < HTTP/1.1 302 Found < content-length: 0 < location: https://canary-openshift-ingress-canary.apps.ocpa.ocp.internal/ < cache-control: no-cache < * Connection #0 to host canary-openshift-ingress-canary.apps.ocpa.ocp.internal left intact $ curl -kv --resolve ${ROUTE}:443:192.168.122.150 https://${ROUTE} processing: https://canary-openshift-ingress-canary.apps.ocpa.ocp.internal Added canary-openshift-ingress-canary.apps.ocpa.ocp.internal:443:192.168.122.150 to DNS cache Hostname canary-openshift-ingress-canary.apps.ocpa.ocp.internal was found in DNS cache Trying 192.168.122.150:443... Connected to canary-openshift-ingress-canary.apps.ocpa.ocp.internal (192.168.122.150) port 443 ALPN: offers h2,http/1.1 TLSv1.3 (OUT), TLS handshake, Client hello (1): TLSv1.3 (IN), TLS handshake, Server hello (2): TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): TLSv1.3 (IN), TLS handshake, Certificate (11): TLSv1.3 (IN), TLS handshake, CERT verify (15): TLSv1.3 (IN), TLS handshake, Finished (20): TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): TLSv1.3 (OUT), TLS handshake, Finished (20): SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 ALPN: server did not agree on a protocol. Uses default. Server certificate: subject: CN=*.apps.ocpa.ocp.internal start date: Mar 28 16:27:46 2024 GMT expire date: Mar 28 16:27:47 2026 GMT issuer: CN=ingress-operator@1711643266 SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. using HTTP/1.x > GET / HTTP/1.1 > Host: canary-openshift-ingress-canary.apps.ocpa.ocp.internal > User-Agent: curl/8.2.1 > Accept: / > TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): old SSL session ID is stale, removing < HTTP/1.1 200 OK < x-request-port: 8080 < date: Thu, 28 Mar 2024 19:53:17 GMT < content-length: 22 < content-type: text/plain; charset=utf-8 < set-cookie: c6e529a6ab19a530fd4f1cceb91c08a9=b0cb1ae85d5d1fab68608cecda8bc167; path=/; HttpOnly; Secure; SameSite=None < Healthcheck requested Connection #0 to host canary-openshift-ingress-canary.apps.ocpa.ocp.internal left intact {code} Status: New * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): | |||
#OCPBUGS-21870 | issue | 3 weeks ago | osus deployment fails verifying registry certificate ON_QA |
Issue 15567678: osus deployment fails verifying registry certificate Description: Description of problem: {code:none} osus deployment fails verifying registry certificate{code} Version-Release number of selected component (if applicable): {code:none} 4.10.z{code} How reproducible: {code:none} Always{code} Steps to Reproduce: {code:none} 1. Deploy and OSUS graph pod [1] using a local Quay registry that has a valid certificate that is provided from LetsEncrypt 2. graph update trigger fails stating that it is unable to get the issuer certificate [1] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/updating_clusters/index#update-service-create-service {code} Actual results: {code:none} [2023-10-14T15:32:58Z DEBUG graph_builder::graph] graph update triggered [2023-10-14T15:32:58Z TRACE cincinnati::plugins] Running next plugin 'release-scrape-dockerv2' [2023-10-14T15:32:58Z ERROR graph_builder::graph] failed to fetch all release metadata from mirror.syangsao.net:8443/ocp4/openshift/release [2023-10-14T15:32:58Z ERROR graph_builder::graph] http transport error: error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:{code} Expected results: {code:none} Certificate validation should work, especially for a trusted certificate provided by LetsEncrypt{code} Additional info: {code:none} oc logs osus-test-5bcf488987-t64w9 Defaulted container "graph-builder" out of: graph-builder, policy-engine, graph-data (init) [2023-10-14T15:22:58Z DEBUG graph_builder] application settings: AppSettings { address: ::, credentials_path: None, mandatory_client_parameters: {}, manifestref_key: "io.openshift.upgrades.graph.release.manifestref", path_prefix: "", pause_secs: 300s, scrape_timeout_secs: None, port: 8080, registry: "quay.io", repository: "openshift-release-dev/ocp-release", status_address: ::, status_port: 9080, verbosity: Trace, fetch_concurrency: 16, metrics_required: { "graph_upstream_raw_releases", }, plugin_settings: [ ReleaseScrapeDockerv2Settings { registry: "mirror.syangsao.net:8443", repository: "ocp4/openshift/release", manifestref_key: "io.openshift.upgrades.graph.release.manifestref", fetch_concurrency: 16, username: None, password: None, credentials_path: Some( "/var/lib/cincinnati/registry-credentials/.dockerconfigjson", ), }, OpenshiftSecondaryMetadataParserSettings { data_directory: "/var/lib/cincinnati/graph-data", key_prefix: "io.openshift.upgrades.graph", default_arch: "amd64", disallowed_errors: {}, }, EdgeAddRemovePlugin { key_prefix: "io.openshift.upgrades.graph", remove_all_edges_value: "*", remove_consumed_metadata: false, include_conditional_edges: true, }, ], tracing_endpoint: None, } [2023-10-14T15:22:58Z DEBUG graph_builder::graph] graph update triggered [2023-10-14T15:22:58Z TRACE cincinnati::plugins] Running next plugin 'release-scrape-dockerv2' [2023-10-14T15:22:58Z ERROR graph_builder::graph] failed to fetch all release metadata from mirror.syangsao.net:8443/ocp4/openshift/release [2023-10-14T15:22:58Z ERROR graph_builder::graph] http transport error: error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:22:58Z ERROR graph_builder::graph] error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:22:58Z ERROR graph_builder::graph] error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:22:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:22:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: [2023-10-14T15:27:58Z DEBUG graph_builder::graph] graph update triggered [2023-10-14T15:27:58Z TRACE cincinnati::plugins] Running next plugin 'release-scrape-dockerv2' [2023-10-14T15:27:58Z ERROR graph_builder::graph] failed to fetch all release metadata from mirror.syangsao.net:8443/ocp4/openshift/release [2023-10-14T15:27:58Z ERROR graph_builder::graph] http transport error: error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:27:58Z ERROR graph_builder::graph] error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:27:58Z ERROR graph_builder::graph] error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:27:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:27:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: [2023-10-14T15:32:58Z DEBUG graph_builder::graph] graph update triggered [2023-10-14T15:32:58Z TRACE cincinnati::plugins] Running next plugin 'release-scrape-dockerv2' [2023-10-14T15:32:58Z ERROR graph_builder::graph] failed to fetch all release metadata from mirror.syangsao.net:8443/ocp4/openshift/release [2023-10-14T15:32:58Z ERROR graph_builder::graph] http transport error: error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error sending request for url (https://mirror.syangsao.net:8443/v2/): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get issuer certificate) [2023-10-14T15:32:58Z ERROR graph_builder::graph] error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: # Certificate is valid curl -k -v -s https://mirror.syangsao.net:8443/v2/ * Trying 192.168.40.15:8443... * Connected to mirror.syangsao.net (192.168.40.15) port 8443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=mirror.syangsao.net * start date: Jul 31 00:00:00 2023 GMT * expire date: Oct 29 23:59:59 2023 GMT * issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.2 (OUT), TLS header, Unknown (23): * Using Stream ID: 1 (easy handle 0x556164192850) * TLSv1.2 (OUT), TLS header, Unknown (23): > GET /v2/ HTTP/2 > Host: mirror.syangsao.net:8443 > user-agent: curl/7.76.1 > accept: */* > * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * TLSv1.2 (IN), TLS header, Unknown (23): * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! * TLSv1.2 (OUT), TLS header, Unknown (23): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.2 (IN), TLS header, Unknown (23): < HTTP/2 401 < server: nginx/1.20.1 < date: Sat, 14 Oct 2023 15:39:07 GMT < content-type: text/html; charset=utf-8 < content-length: 4 < www-authenticate: Bearer realm="https://mirror.syangsao.net:8443/v2/auth",service="mirror.syangsao.net:8443" < docker-distribution-api-version: registry/2.0 < * Connection #0 to host mirror.syangsao.net left intact true{code} Status: ON_QA | |||
#OCPBUGS-31812 | issue | 3 days ago | Behavior on OpenShift ingress route time out for HTTPS request New |
Issue 15923515: Behavior on OpenShift ingress route time out for HTTPS request Description: >>> tested with annotations: haproxy.router.openshift.io/timeout: both HTTP/HTTPS request can timeout per set value in annotation. >>> without timeout annotation we expect to see HTTP/HTTPS request both timeout per default value 30s explained below: https://access.redhat.com/documentation/zh-cn/red_hat_process_automation_manager/7.1/html/managing_and_monitoring_process_server/configuring-openshift-connection-timeout-proc while in fact we observed default timeout 30s only work for HTTP request, following is the test steps helped by fixed delay function in service mesh virtual service. ** HTTP test: 1. gateway route port: 8080 {code:java} holly [ ~ ]$ oc get route -n istio-system NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD grafana grafana-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io grafana <all> reencrypt/Redirect None istio-ingressgateway istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io istio-ingressgateway 8080 None {code} 2. bookinfo gateway port 80, protocol HTTP: {code:java} servers: - port: number: 80 name: http protocol: HTTP {code} 3. edited bookinfo virtual service to have fixed delay 60s: {code:java} Spec: Gateways: bookinfo-gateway Hosts: * Http: Fault: Delay: Fixed Delay: 60s Percentage: Value: 100 {code} 4. tested curling istio-gateway host with HTTP protocol and getting 504 after 30s: {code:java} holly [ ~ ]$ date; curl -v -k http://istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io/productpage; date Thu Apr 4 04:13:19 AM UTC 2024 * Host istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io:80 was resolved. * IPv6: (none) * IPv4: 137.135.78.52 * Trying 137.135.78.52:80... * Connected to istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io (137.135.78.52) port 80 > GET /productpage HTTP/1.1 > Host: istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 504 Gateway Time-out < content-length: 92 < cache-control: no-cache < content-type: text/html < <html><body><h1>504 Gateway Time-out</h1> The server didn't respond in time. </body></html> * Connection #0 to host istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io left intact Thu Apr 4 04:13:50 AM UTC 2024 holly [ ~ ]$ {code} ** HTTPS test 1. add secret in istio-system namespace for TLS use {code:java} holly [ ~ ]$ oc get secret -n istio-system | grep superdomain mysuperdomain-certs kubernetes.io/tls 2 17h {code} 2. edit istio gateway route to use HTTPS and tls termination: {code:java} holly [ ~ ]$ oc get route -n istio-system NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD grafana grafana-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io grafana <all> reencrypt/Redirect None istio-ingressgateway istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io istio-ingressgateway https passthrough None {code} 3. edit bookinfo gateway to use HTTPS and tls: {code:java} Spec: Selector: Istio: ingressgateway Servers: Hosts: * Port: Name: https Number: 443 Protocol: HTTPS Tls: Credential Name: mysuperdomain-certs Mode: SIMPLE {code} 4. didn't do change to bookinfo virtual service yaml in regards to HTTPS change, kept 60s fixed delay: {code:java} Spec: Gateways: bookinfo-gateway Hosts: * Http: Fault: Delay: Fixed Delay: 60s Percentage: Value: 100 Match: Uri: Exact: /productpage Uri: Prefix: /static Uri: Exact: /login Uri: Exact: /logout Uri: Prefix: /api/v1/products Route: Destination: Host: productpage Port: Number: 9080 {code} 5. tested curling istio gateway host with HTTPS and getting succeeded after 60s: {code:java} holly [ ~ ]$ date; curl -v -k https://istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io/productpage; date Thu Apr 4 05:06:26 AM UTC 2024 * Host istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io:443 was resolved. * IPv6: (none) * IPv4: 137.135.78.52 * Trying 137.135.78.52:443... * Connected to istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io (137.135.78.52) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=helloworld.mysuperdomain.com; O=hello world from mysuperdomain.com * start date: Apr 3 11:46:24 2024 GMT * expire date: Apr 3 11:46:24 2025 GMT * issuer: O=$DOMAIN_NAME Inc.; CN=$DOMAIN_NAME * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io/productpage * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io] * [HTTP/2] [1] [:path: /productpage] * [HTTP/2] [1] [user-agent: curl/8.5.0] * [HTTP/2] [1] [accept: */*] > GET /productpage HTTP/2 > Host: istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io > User-Agent: curl/8.5.0 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 200 < content-type: text/html; charset=utf-8 < content-length: 5290 < server: istio-envoy < date: Thu, 04 Apr 2024 05:07:28 GMT < x-envoy-upstream-service-time: 1226 < <!DOCTYPE html> <html> <head> <title>Simple Bookstore App</title> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <!-- Latest compiled and minified CSS --> <link rel="stylesheet" href="static/bootstrap/css/bootstrap.min.css"> <!-- Optional theme --> <link rel="stylesheet" href="static/bootstrap/css/bootstrap-theme.min.css"> </head> <body> <nav class="navbar navbar-inverse navbar-static-top"> <div class="container"> <div class="navbar-header"> <a class="navbar-brand" href="#">BookInfo Sample</a> </div> <button type="button" class="btn btn-default navbar-btn navbar-right" data-toggle="modal" href="#login-modal">Sign in</button> </div> </nav> <!--- <div class="navbar navbar-inverse navbar-fixed-top"> <div class="container"> <div class="navbar-header pull-left"> <a class="navbar-brand" href="#">Microservices Fabric BookInfo Demo</a> </div> <div class="navbar-header pull-right"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> </div> <div class="navbar-collapse collapse"> <button type="button" class="btn btn-default navbar-btn pull-right" data-toggle="modal" data-target="#login-modal">Sign in</button> </div> </div> </div> --> <div id="login-modal" class="modal fade" role="dialog"> <div class="modal-dialog"> <div class="modal-content"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal">×</button> <h4 class="modal-title">Please sign in</h4> </div> <div class="modal-body"> <form method="post" action='login' name="login_form"> <p><input type="text" class="form-control" name="username" id="username" placeholder="User Name"></p> <p><input type="password" class="form-control" name="passwd" placeholder="Password"></p> <p> <button type="submit" class="btn btn-primary">Sign in</button> <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button> </p> </form> </div> </div> </div> </div> <div class="container-fluid"> <div class="row"> <div class="col-md-12"> <h3 class="text-center text-primary">The Comedy of Errors</h3> <p>Summary: <a href="https://en.wikipedia.org/wiki/The_Comedy_of_Errors">Wikipedia Summary</a>: The Comedy of Errors is one of <b>William Shakespeare's</b> early plays. It is his shortest and one of his most farcical comedies, with a major part of the humour coming from slapstick and mistaken identity, in addition to puns and word play.</p> </div> </div> <div class="row"> <div class="col-md-6"> <h4 class="text-center text-primary">Book Details</h4> <dl> <dt>Type:</dt>paperback <dt>Pages:</dt>200 <dt>Publisher:</dt>PublisherA <dt>Language:</dt>English <dt>ISBN-10:</dt>1234567890 <dt>ISBN-13:</dt>123-1234567890 </dl> </div> <div class="col-md-6"> <h4 class="text-center text-primary">Book Reviews</h4> <blockquote> <p>An extremely entertaining play by Shakespeare. The slapstick humour is refreshing!</p> <small>Reviewer1</small> <font color="red"> <!-- full stars: --> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <!-- empty stars: --> </font> </blockquote> <blockquote> <p>Absolutely fun and entertaining. The play lacks thematic depth when compared to other plays by Shakespeare.</p> <small>Reviewer2</small> <font color="red"> <!-- full stars: --> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <span class="glyphicon glyphicon-star"></span> <!-- empty stars: --> <span class="glyphicon glyphicon-star-empty"></span> </font> </blockquote> <dl> <dt>Reviews served by:</dt> <u>reviews-v3-55f9d7445c-rqdvf</u> </dl> </div> </div> </div> <!-- Latest compiled and minified JavaScript --> <script src="static/jquery.min.js"></script> <!-- Latest compiled and minified JavaScript --> <script src="static/bootstrap/js/bootstrap.min.js"></script> <script type="text/javascript"> $('#login-modal').on('shown.bs.modal', function () { $('#username').focus(); }); </script> </body> </html> * Connection #0 to host istio-ingressgateway-istio-system.apps.zluc3jm0e8382cc5f9.eastus.aroapp.io left intact Thu Apr 4 05:07:28 AM UTC 2024 {code} Status: New { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [10 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): |
Found in 0.00% of runs (0.00% of failures) across 1 total runs and 1 jobs (100.00% failed) in 85ms - clear search | chart view - source code located on github