Description of problem: There is a logic error in the haproxy template code that the "accept-proxy" specifier doesn't get appropriately applied to both IPv4 and IPv6 haproxy interfaces if BOTH IPv4 and IPv6 are enabled. The "accept-proxy" specifier is added via when the ENV variable ROUTER_USE_PROXY_PROTOCOL is true. OpenShift release version: 4.11 Cluster Platform: All How reproducible: Always Steps to Reproduce (in detail): 1. Enable IPv4 and IPv6 via ROUTER_IP_V4_V6_MODE="v4v6" on router deployment 2. Set ROUTER_USE_PROXY_PROTOCOL to true on router deployment 3. RSH into router and confirm that "accept-proxy" is on both "bind :<PORT>" and "bind :::<PORT>" lines for "frontend public" and "frontend public_ssl" Actual results: "accept-proxy" is only on "bind :::<PORT>" and missing from "bind :<PORT>" Expected results: "accept-proxy" should be on both "bind :<PORT>" and "bind :::<PORT>" Impact of the problem: Can't have a dual stack IPv4 and IPv6 configuration with "accept-protocol" on both stacks. Additional info: ** Please do not disregard the report template; filling the template out as much as possible will allow us to help you. Please consider attaching a must-gather archive (via `oc adm must-gather`). Please review must-gather contents for sensitive information before attaching any must-gathers to a bugzilla report. You may also mark the bug private if you wish.
The issue was caused by <https://github.com/openshift/router/pull/83>, which shipped in 4.8.0, to fix bug 1801407.
Verified in "4.11.0-0.nightly-2022-06-15-222801". With this payload it is observed that "accept-proxy" specifier are getting properly applied for ipv4 and ipv6 bind option in the frontend: ------ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-06-15-222801 True False 49m Cluster version is 4.11.0-0.nightly-2022-06-15-222801 oc -n openshift-ingress get deployment.apps/router-internalapps2 -o yaml | grep -ie ROUTER_IP_V4_V6_MODE -ie ROUTER_USE_PROXY_PROTOCOL -A1 - name: ROUTER_IP_V4_V6_MODE value: v4v6 -- - name: ROUTER_USE_PROXY_PROTOCOL value: "true" Inside the router pod: frontend public bind :9080 accept-proxy bind :::9080 v6only accept-proxy mode http tcp-request inspect-delay 5s tcp-request content accept if HTTP monitor-uri /_______internal_router_healthz frontend public_ssl option tcplog bind :9443 accept-proxy bind :::9443 v6only accept-proxy tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } ------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069