Bug 2096362 - Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters
Summary: Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.11
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.z
Assignee: Grant Spence
QA Contact: Arvind iyengar
Depends On: 2093454
TreeView+ depends on / blocked
Reported: 2022-06-13 15:44 UTC by OpenShift BugZilla Robot
Modified: 2022-09-13 08:28 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: A change to the HAProxy configuration template in OpenShift 4.8 caused the "accept-proxy" option not to be set on all "bind" lines when the configuration had more than one "bind". Consequence: On dual-stack clusters with PROXY protocol configured, PROXY protocol was only enabled for IPv6 and was not enabled for IPv4. Fix: The HAProxy configuration template was corrected to set "accept-proxy" on every "bind" line when PROXY protocol is configured. Result: OpenShift now enables PROXY protocol for both IPv4 and IPv6 on dual-stack clusters with PROXY protocol configured.
Clone Of:
Last Closed: 2022-09-13 08:28:32 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift router pull 405 0 None open [release-4.10] Bug 2096362: HAProxy: enable PROXY protocol for all listeners 2022-06-27 17:44:13 UTC
Red Hat Product Errata RHBA-2022:6372 0 None None None 2022-09-13 08:28:40 UTC

Comment 1 Arvind iyengar 2022-07-04 08:28:35 UTC
verified with the latest "4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest" image. In the environment deployed with the the patch include it is observed that proxy option gets applied properly for IPv4 and IPv6 haproxy interfaces in the haproxy config file:
oc get clusterversion                                            
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest   True        False         4m15s   Cluster version is 4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- env | grep -e ROUTER_IP_V4_V6_MODE -e ROUTER_USE_PROXY_PROTOCOL

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- cat haproxy.config | grep -i accept-proxy
  bind :80 accept-proxy
  bind :::80 v6only accept-proxy
  bind :443 accept-proxy
  bind :::443 v6only accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy

Comment 3 Arvind iyengar 2022-09-05 11:28:52 UTC
This bug has already been verified via pre-merge workflow. Changing status to reflect the same accordingly.

Comment 6 errata-xmlrpc 2022-09-13 08:28:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.32 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.