Bug 2104481

Summary: PROXY protocol is not configurable for "private" endpoint publishing strategy
Product: OpenShift Container Platform Reporter: Pablo Alonso Rodriguez <palonsor>
Component: NetworkingAssignee: Miciah Dashiel Butler Masters <mmasters>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: hongli, jaldinge, johlong, mmasters, shudili
Version: 4.10   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
*Previously, the IngressController could not be configured with `Private` endpoint publishing strategy and PROXY protocol. With this update, users can now configure an IngressController with both the `Private` endpoint publishing strategy type and PROXY protocol. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2104481[*BZ#2104481*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:51:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Alonso Rodriguez 2022-07-06 11:40:28 UTC 
Description of problem:

When the proxy protocol configuration was implemented, for some reason it was only implemented for "HostNetwork" and "NodePort" endpoint publishing strategies, but not for "Private" one. We should be able to implement it in the "Private" one.

OpenShift release version:

4.10

Cluster Platform:

Irrelevant.

How reproducible:

Always

Steps to Reproduce (in detail):
1. Configure proxy protocol for "private" endpoint publishing strategy
2.
3.


Actual results:

Not configurable

Expected results:

Configurable

Impact of the problem:

In some environments where "private" strategy + custom service must be used, lacking proxy protocol hides real source IPs to the router, which can have severe security implications.

Additional info:

The PROXY protocol was implemented as a result of https://issues.redhat.com/browse/RFE-401 . Neither in the RFE nor in the trackers I can find any reference for why this was implemented only for those strategies, as it was requested as just a global option. So this means the feature was implemented mistakenly, which is a bug.
Comment 3 Miciah Dashiel Butler Masters 2022-07-07 19:27:09 UTC 
We will handle this as a BZ.
Comment 6 Arvind iyengar 2022-07-18 06:21:43 UTC 
Verified in "4.12.0-0.nightly-2022-07-17-174647" release. With this payload, it is observed that the "Private" type ingresscontroller allows the "PROXY" option to be set correctly in the pod configuration:
------
oc get clusterversion           
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-07-17-174647   True        False         3h22m   Cluster version is 4.12.0-0.nightly-2022-07-17-174647

oc -n openshift-ingress-operator get ingresscontroller internalapps -o jsonpath={.spec} | jq
{
  "clientTLS": {
    "clientCA": {
      "name": ""
    },
    "clientCertificatePolicy": ""
  },
  "domain": "internalapps.aiyengar412qq.qe.azure.devcluster.openshift.com",
  "endpointPublishingStrategy": {
    "private": {
      "protocol": "PROXY"
    },
    "type": "Private"
  },


oc -n openshift-ingress get pods -o wide                                 
NAME                                   READY   STATUS    RESTARTS   AGE     IP            NODE                                               NOMINATED NODE   READINESS GATES
router-internalapps-57df5858b6-5885h   2/2     Running   0          37s     10.131.0.20   aiyengar412qq-7mm4j-worker-southcentralus1-t8lbw   <none>           <none>
router-internalapps-57df5858b6-znzqj   2/2     Running   0          37s     10.128.2.20   aiyengar412qq-7mm4j-worker-southcentralus3-9z2tv   <none>           <none>


oc -n openshift-ingress exec router-internalapps-57df5858b6-5885h -- env | grep ROUTER_USE_PROXY_PROTOCOL
ROUTER_USE_PROXY_PROTOCOL=true


oc -n openshift-ingress exec router-internalapps-57df5858b6-5885h -- cat haproxy.config| grep -i 'accept-proxy'
  bind :80 accept-proxy
  bind :443 accept-proxy
------
Comment 10 Miciah Dashiel Butler Masters 2022-11-11 17:14:23 UTC 
We will be backporting the fix to 4.11.z and 4.10.z.
Comment 11 Pablo Alonso Rodriguez 2022-11-11 17:33:17 UTC 
Thanks
Comment 14 errata-xmlrpc 2023-01-17 19:51:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399