Bug 1964482

Summary: Ipv6 IP addresses are not accepted for whitelisting
Product: OpenShift Container Platform Reporter: sajeel irkal <sirkal>
Component: NetworkingAssignee: Andrey Lebedev <alebedev>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: alebedev, aos-bugs, dcaldwel, hongli, mjoseph, mmasters, wgordon
Version: 4.4   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:31:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1984565    

Comment 1 Miciah Dashiel Butler Masters 2021-05-25 16:13:33 UTC 
Possible fix:  https://github.com/openshift/router/pull/262

Setting severity to medium; adjust if needed.
Comment 8 Arvind iyengar 2021-06-30 08:43:59 UTC 
Verified in "4.9.0-0.nightly-2021-06-29-114024" version. With this version, it is observed that the ipv6 whitelist configuration gets added in the router backend for which the annotation is applied:
------
oc get clusterversion                         
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-06-29-114024   True        False         4h44m   Cluster version is 4.9.0-0.nightly-2021-06-29-114024

oc annotate route edge-route haproxy.router.openshift.io/ip_whitelist="2600:14a0::/40"
route.route.openshift.io/edge-route annotated

route config:
oc get route edge-route -o yaml                 
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/hsts_header: max-age=31536000
    haproxy.router.openshift.io/ip_whitelist: 2600:14a0::/40 <-----
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-30T07:15:43Z"
  labels:
    name: service-unsecure
  name: edge-route
  namespace: test2

Router configuration:
backend be_edge_http:test2:edge-route
  mode http
  option redispatch
  option forwardfor
  balance
  acl whitelist src 2600:14a0::/40 <---
  tcp-request content reject if !whitelist <---

  timeout check 5000ms
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  cookie 9e6916b23f1cdad50d8a86b48f87064e insert indirect nocache httponly secure attr SameSite=None
  http-response set-header Strict-Transport-Security 'max-age=31536000'
  server pod:web-server-rc-8lx6w:service-unsecure:http:10.129.2.25:8080 10.129.2.25:8080 cookie 1d739f57547fd5c0c5479298c4f8fe1d weight 256
------
Comment 11 errata-xmlrpc 2021-10-18 17:31:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759