2096362 – Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters

Bug 2096362 - Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters

Summary: Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	4.10.z
Assignee:	Grant Spence
QA Contact:	Arvind iyengar
Docs Contact:
URL:
Whiteboard:
Depends On:	2093454
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-13 15:44 UTC by OpenShift BugZilla Robot
Modified:	2022-09-13 08:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: A change to the HAProxy configuration template in OpenShift 4.8 caused the "accept-proxy" option not to be set on all "bind" lines when the configuration had more than one "bind". Consequence: On dual-stack clusters with PROXY protocol configured, PROXY protocol was only enabled for IPv6 and was not enabled for IPv4. Fix: The HAProxy configuration template was corrected to set "accept-proxy" on every "bind" line when PROXY protocol is configured. Result: OpenShift now enables PROXY protocol for both IPv4 and IPv6 on dual-stack clusters with PROXY protocol configured.
Clone Of:
Environment:
Last Closed:	2022-09-13 08:28:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift router pull 405	0	None	open	[release-4.10] Bug 2096362: HAProxy: enable PROXY protocol for all listeners	2022-06-27 17:44:13 UTC
Red Hat Product Errata	RHBA-2022:6372	0	None	None	None	2022-09-13 08:28:40 UTC

Comment 1 Arvind iyengar 2022-07-04 08:28:35 UTC

verified with the latest "4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest" image. In the environment deployed with the the patch include it is observed that proxy option gets applied properly for IPv4 and IPv6 haproxy interfaces in the haproxy config file:
------
oc get clusterversion                                            
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest   True        False         4m15s   Cluster version is 4.10.0-0.ci.test-2022-07-04-055209-ci-ln-gn337fb-latest

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- env | grep -e ROUTER_IP_V4_V6_MODE -e ROUTER_USE_PROXY_PROTOCOL
ROUTER_IP_V4_V6_MODE=v4v6
ROUTER_USE_PROXY_PROTOCOL=true

oc -n openshift-ingress exec router-default-6997b4f69c-qfbbq -- cat haproxy.config | grep -i accept-proxy
  bind :80 accept-proxy
  bind :::80 v6only accept-proxy
  bind :443 accept-proxy
  bind :::443 v6only accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt /var/lib/haproxy/router/certs/default.pem accept-proxy
------

Comment 3 Arvind iyengar 2022-09-05 11:28:52 UTC

This bug has already been verified via pre-merge workflow. Changing status to reflect the same accordingly.

Comment 6 errata-xmlrpc 2022-09-13 08:28:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.10.32 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6372

Note You need to log in before you can comment on or make changes to this bug.