Bug 2176300

Summary: [RFE] Configure Ingress and NFS to support HAProxy's PROXY protocol
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Goutham Pacha Ravi <gouthamr>
Component: CephadmAssignee: Adam King <adking>
Status: CLOSED ERRATA QA Contact: Mohit Bisht <mobisht>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 6.0CC: adking, akraj, cephqe-warriors, fpantano, gouthamr, mobisht, rpollack, saraut, tserlin, vdas, vereddy
Target Milestone: ---Keywords: FutureFeature
Target Release: 7.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ceph-18.2.0-6.el9cp Doc Type: Enhancement
Doc Text:
.Users can now apply client IP restrictions on the NFS deployment using the HAProxy protocol mode Previously, users could not apply client IP restrictions, while still using HAProxy between the client and NFS. This is because only the HAProxy IP would be recognized by NFS, making proper client IP restriction impossible. With this enhancement, it is possible to deploy an NFS service in HAProxy protocol mode by passing `--ingress-mode=haproxy-protocol` argument in the `ceph nfs cluster create` command or by setting `enable_haproxy_protocol: true` in both the NFS service specification and the corresponding ingress specification. Users can now apply proper client IP restriction on their NFS deployment using the new HAProxy protocol mode in their NFS deployment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-13 15:20:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2097490    
Bug Blocks: 2237662    

Description Goutham Pacha Ravi 2023-03-07 22:52:57 UTC 
Description of problem:

When the ceph-ingress service frontends the Ceph-NFS cluster, currently, client addresses are not visible to Ceph-NFS/Ganesha; this prevents the use of client restrictions to be used in Exports. To relay the client's address across the Proxy server, HAProxy supports the use of the PROXY protocol. NFS-Ganesha recently added native support for the PROXY protocol [2]. We need changes to the HAProxy config to enable (or disable) the use of PROXY when setting up ingress for Ceph-NFS. An example configuration is documented on the HAProxy website [3].

When send-proxy-v2 is enabled with ingress, NFS-Ganesha will need to be configured with the "HAProxy_Hosts" configuration option [4] which will allow the parsing of the client address from the header information that the PROXY protocol communication contains.

[1] https://www.haproxy.com/blog/use-the-proxy-protocol-to-preserve-a-clients-ip-address/
[2] https://review.gerrithub.io/c/ffilz/nfs-ganesha/+/548334
[3] https://www.haproxy.com/blog/using-haproxy-with-the-proxy-protocol-to-better-secure-your-database/
[4] https://github.com/nfs-ganesha/nfs-ganesha/blob/91dd6865b71bbe99ad828c9c8bae1827922cd2a6/src/doc/man/ganesha-core-config.rst#L25
Comment 10 errata-xmlrpc 2023-12-13 15:20:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 7.0 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:7780