Bug 1984565

Summary: Ipv6 IP addresses are not accepted for whitelisting
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Andrey Lebedev <alebedev>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: alebedev, aos-bugs, dcaldwel, hongli, mmasters, wgordon
Version: 4.4   
Target Milestone: ---   
Target Release: 4.8.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 11:28:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1964482    
Bug Blocks: 1994645    

Comment 1 Arvind iyengar 2021-07-28 13:52:07 UTC
Verified in "4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest" version. With this version, it is observed that the ipv6 whitelist configuration gets added in the router backend for which the annotation is applied:
------
oc get clusterversion                        
NAME      VERSION                                                  AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest   True        False         29m     Cluster version is 4.8.0-0.ci.test-2021-07-28-122806-ci-ln-1kfykdt-latest

oc get route service-unsecure -o yaml  
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 2600:14a0::/40
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-07-28T13:38:06Z"
  labels:
    name: service-unsecure
  name: service-unsecure
  namespace: test1
  resourceVersion: "47701"
  uid: eab5deed-967b-4d02-a278-f4b986a9dcf0


haproxy pod:
backend be_http:test1:service-unsecure
  mode http
  option redispatch
  option forwardfor
  balance
  acl whitelist src 2600:14a0::/40
  tcp-request content reject if !whitelist <-----
------

Comment 5 errata-xmlrpc 2021-08-10 11:28:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.4 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2983