Bug 2096362

Summary: Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: NetworkingAssignee: Grant Spence <gspence>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium CC: aos-bugs, hongli, mmasters
Version: 4.11   
Target Milestone: ---   
Target Release: 4.10.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: A change to the HAProxy configuration template in OpenShift 4.8 caused the "accept-proxy" option not to be set on all "bind" lines when the configuration had more than one "bind". Consequence: On dual-stack clusters with PROXY protocol configured, PROXY protocol was only enabled for IPv6 and was not enabled for IPv4. Fix: The HAProxy configuration template was corrected to set "accept-proxy" on every "bind" line when PROXY protocol is configured. Result: OpenShift now enables PROXY protocol for both IPv4 and IPv6 on dual-stack clusters with PROXY protocol configured.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-13 08:28:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2093454    
Bug Blocks:    

Comment 1 Arvind iyengar 2022-07-04 08:28:35 UTC 
verified with the latest "4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest" image. In the environment deployed with the the patch include it is observed that proxy option gets applied properly for IPv4 and IPv6 haproxy interfaces in the haproxy config file:
------
oc get clusterversion                                            
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest   True        False         4m15s   Cluster version is 4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- env | grep -e ROUTER_IP_V4_V6_MODE -e ROUTER_USE_PROXY_PROTOCOL
ROUTER_IP_V4_V6_MODE=v4v6
ROUTER_USE_PROXY_PROTOCOL=true

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- cat haproxy.config | grep -i accept-proxy
  bind :80 accept-proxy
  bind :::80 v6only accept-proxy
  bind :443 accept-proxy
  bind :::443 v6only accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy
------
Comment 3 Arvind iyengar 2022-09-05 11:28:52 UTC 
This bug has already been verified via pre-merge workflow. Changing status to reflect the same accordingly.
Comment 6 errata-xmlrpc 2022-09-13 08:28:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.32 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6372