Bug 1964486 - Bulk adding of CIDR IPS to whitelist is not working
Summary: Bulk adding of CIDR IPS to whitelist is not working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.8.0
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On:
Blocks: 1967733
TreeView+ depends on / blocked
 
Reported: 2021-05-25 15:26 UTC by sajeel irkal
Modified: 2022-08-04 22:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: HAProxy's template helper function responsible for generating a file for whitelist IPs was expecting a wrong argument type Consequence: No whitelist ACL was applied for the backend in case of a long IP list Fix: Argument type of the template helper function was changed to the right one Result: Whitelist ACL is applied to the backend for long IP lists
Clone Of:
Environment:
Last Closed: 2021-07-27 23:10:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 295 0 None open [WIP] Bug 1964486: template helper - generateHAProxyWhiteListFile, use right arg type 2021-06-01 16:35:17 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:10:22 UTC

Comment 2 Arvind iyengar 2021-06-07 06:45:37 UTC
verified in "4.8.0-0.nightly-2021-06-03-221810" version. With this payload, it is observed that the router not fails when processing single routes with more than 64 whitelisted IPs:
-------
oc get clusterversion  
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-06-03-221810   True        False         3m2s    Cluster version is 4.8.0-0.nightly-2021-06-03-221810

oc get route 
NAME                 HOST/PORT                                                                                                   PATH   SERVICES           PORT   TERMINATION   WILDCARD
service-unsecure-2   service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com ... 1 more                    service-unsecure   http                 None


oc get route service-unsecure-2 -o yaml 
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 192.168.0.0/24 192.168.1.0/24 192.168.2.0/24
      192.168.3.0/24 192.168.4.0/24 192.168.5.0/24 192.168.6.0/24 192.168.7.0/24 192.168.8.0/24
      192.168.9.0/24 192.168.10.0/24 192.168.11.0/24 192.168.12.0/24 192.168.13.0/24
      192.168.14.0/24 192.168.15.0/24 192.168.16.0/24 192.168.17.0/24 192.168.18.0/24
      192.168.19.0/24 192.168.20.0/24 192.168.21.0/24 192.168.22.0/24 192.168.23.0/24
      192.168.24.0/24 192.168.25.0/24 192.168.26.0/24 192.168.27.0/24 192.168.28.0/24
      192.168.29.0/24 192.168.30.0/24 192.168.31.0/24 192.168.32.0/24 192.168.33.0/24
      192.168.34.0/24 192.168.35.0/24 192.168.36.0/24 192.168.37.0/24 192.168.38.0/24
      192.168.39.0/24 192.168.40.0/24 192.168.41.0/24 192.168.42.0/24 192.168.43.0/24
      192.168.44.0/24 192.168.45.0/24 192.168.46.0/24 192.168.47.0/24 192.168.48.0/24
      192.168.49.0/24 192.168.50.0/24 192.168.51.0/24 192.168.52.0/24 192.168.53.0/24
      192.168.54.0/24 192.168.55.0/24 192.168.56.0/24 192.168.57.0/24 192.168.58.0/24
      192.168.59.0/24 192.168.60.0/24 192.168.61.0/24 192.168.62.0/24 192.168.63.0/24
      192.168.64.0/24 192.168.65.0/24 192.168.66.0/24 192.168.67.0/24 192.168.68.0/24
      192.168.69.0/24 192.168.70.0/24 192.168.71.0/24 192.168.72.0/24 192.168.73.0/24
      192.168.74.0/24 192.168.75.0/24 192.168.76.0/24 192.168.77.0/24 192.168.78.0/24
      192.168.79.0/24 192.168.80.0/24 192.168.81.0/24 192.168.82.0/24 192.168.83.0/24
      192.168.84.0/24 192.168.85.0/24 192.168.86.0/24 192.168.87.0/24 192.168.88.0/24
      192.168.89.0/24 192.168.90.0/24 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24
      192.168.94.0/24 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24 192.168.98.0/24
      192.168.99.0/24 192.168.100.0/24 192.168.101.0/24 192.168.102.0/24 192.168.103.0/24
      192.168.104.0/24 192.168.105.0/24 192.168.106.0/24 192.168.107.0/24 192.168.108.0/24
      192.168.109.0/24 192.168.110.0/24 192.168.111.0/24 192.168.112.0/24 192.168.113.0/24
      192.168.114.0/24 192.168.115.0/24 192.168.116.0/24 192.168.117.0/24 192.168.118.0/24
      192.168.119.0/24 192.168.120.0/24 192.168.121.0/24 192.168.122.0/24 192.168.123.0/24
      192.168.124.0/24 192.168.125.0/24 192.168.126.0/24 192.168.127.0/24 192.168.128.0/24
      192.168.129.0/24 192.168.130.0/24 192.168.131.0/24 192.168.132.0/24 192.168.133.0/24
      192.168.134.0/24 192.168.135.0/24 192.168.136.0/24 192.168.137.0/24 192.168.138.0/24
      192.168.139.0/24 192.168.140.0/24 192.168.141.0/24 192.168.142.0/24 192.168.143.0/24
      192.168.144.0/24 192.168.145.0/24 192.168.146.0/24 192.168.147.0/24 192.168.148.0/24
      192.168.149.0/24 192.168.150.0/24 192.168.151.0/24 192.168.152.0/24 192.168.153.0/24
      192.168.154.0/24 192.168.155.0/24 192.168.156.0/24 192.168.157.0/24 192.168.158.0/24
      192.168.159.0/24 192.168.160.0/24 192.168.161.0/24 192.168.162.0/24 192.168.163.0/24
      192.168.164.0/24 192.168.165.0/24 192.168.166.0/24 192.168.167.0/24 192.168.168.0/24
      192.168.169.0/24 192.168.170.0/24 192.168.171.0/24 192.168.172.0/24 192.168.173.0/24
      192.168.174.0/24 192.168.175.0/24 192.168.176.0/24 192.168.177.0/24 192.168.178.0/24
      192.168.179.0/24 192.168.180.0/24 192.168.181.0/24 192.168.182.0/24 192.168.183.0/24
      192.168.184.0/24 192.168.185.0/24 192.168.186.0/24 192.168.187.0/24 192.168.188.0/24
      192.168.189.0/24 192.168.190.0/24 192.168.191.0/24 192.168.192.0/24 192.168.193.0/24
      192.168.194.0/24 192.168.195.0/24 192.168.196.0/24 192.168.197.0/24 192.168.198.0/24
      192.168.199.0/24 192.168.200.0/24
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-07T05:39:57Z"
  labels:
    name: service-unsecure
  name: service-unsecure-2
  namespace: test1a
  resourceVersion: "87420"
  uid: 286c8acc-d9b0-4764-8c62-d0b4a9aae221
spec:
  host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
  port:
    targetPort: http
  to:
    kind: Service
    name: service-unsecure
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2021-06-07T05:39:57Z"
      status: "True"
      type: Admitted
    host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
    routerCanonicalHostname: router-internalapps.internalapps.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
    routerName: internalapps
    wildcardPolicy: None
  - conditions:
    - lastTransitionTime: "2021-06-07T05:39:57Z"
      status: "True"
      type: Admitted
    host: service-unsecure-2-test1a.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
    routerCanonicalHostname: router-default.apps.ci-ln-zmdlxk2-d5d6b.origin-ci-int-aws.dev.rhcloud.com
    routerName: default
    wildcardPolicy: None

haproxy.config file entry:
backend be_http:test1a:service-unsecure-2
  mode http
  option redispatch
  option forwardfor
  balance
  acl whitelist src -f /var/lib/haproxy/router/whitelists/test1a:service-unsecure-2.txt
  tcp-request content reject if !whitelist

oc -n openshift-ingress logs router-default-6dbff6bd9f-wmsc8 --tail 50
I0607 03:57:54.098280       1 template.go:437] router "msg"="starting router"  "version"="majorFromGit: \nminorFromGit: \ncommitFromGit: 207d5463d341947133d344b352aef6abcd80a0c8\nversionFromGit: 4.0.0-306-g207d5463\ngitTreeState: clean\nbuildDate: 2021-06-03T20:48:55Z\n"
I0607 03:57:54.101137       1 metrics.go:155] metrics "msg"="router health and metrics port listening on HTTP and HTTPS"  "address"="0.0.0.0:1936"
I0607 03:57:54.112697       1 router.go:191] template "msg"="creating a new template router"  "writeDir"="/var/lib/haproxy"
I0607 03:57:54.112793       1 router.go:270] template "msg"="router will coalesce reloads within an interval of each other"  "interval"="5s"
I0607 03:57:54.113382       1 router.go:332] template "msg"="watching for changes"  "path"="/etc/pki/tls/private"
I0607 03:57:54.113907       1 router.go:262] router "msg"="router is including routes in all namespaces"  
E0607 03:57:54.227757       1 haproxy.go:418] can't scrape HAProxy: dial unix /var/lib/haproxy/run/haproxy.sock: connect: no such file or directory
I0607 03:57:54.308490       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 03:57:59.366942       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 03:58:04.271629       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 03:58:09.283077       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 03:59:42.751598       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 03:59:47.752862       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0607 04:00:19.716065       1 router.go:579] template "msg"="router reloaded"  "output"=" - Proxy protocol on, checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
-------

Comment 5 errata-xmlrpc 2021-07-27 23:10:08 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.