Bug 2104481 - PROXY protocol is not configurable for "private" endpoint publishing strategy
Summary: PROXY protocol is not configurable for "private" endpoint publishing strategy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.12.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-06 11:40 UTC by Pablo Alonso Rodriguez
Modified: 2023-01-17 19:51 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
*Previously, the IngressController could not be configured with `Private` endpoint publishing strategy and PROXY protocol. With this update, users can now configure an IngressController with both the `Private` endpoint publishing strategy type and PROXY protocol. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2104481[*BZ#2104481*])
Clone Of:
Environment:
Last Closed: 2023-01-17 19:51:26 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 1221 0 None Merged Bug 2104481: operator/ingress: Allow PROXY protocol for Private endpoint publishing strategy 2022-07-08 18:42:21 UTC
Github openshift cluster-ingress-operator pull 803 0 None Merged Bug 2104481: Allow PROXY protocol for the "Private" endpoint publishing strategy 2022-07-22 17:37:41 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:51:44 UTC

Description Pablo Alonso Rodriguez 2022-07-06 11:40:28 UTC 
Description of problem:

When the proxy protocol configuration was implemented, for some reason it was only implemented for "HostNetwork" and "NodePort" endpoint publishing strategies, but not for "Private" one. We should be able to implement it in the "Private" one.

OpenShift release version:

4.10

Cluster Platform:

Irrelevant.

How reproducible:

Always

Steps to Reproduce (in detail):
1. Configure proxy protocol for "private" endpoint publishing strategy
2.
3.


Actual results:

Not configurable

Expected results:

Configurable

Impact of the problem:

In some environments where "private" strategy + custom service must be used, lacking proxy protocol hides real source IPs to the router, which can have severe security implications.

Additional info:

The PROXY protocol was implemented as a result of https://issues.redhat.com/browse/RFE-401 . Neither in the RFE nor in the trackers I can find any reference for why this was implemented only for those strategies, as it was requested as just a global option. So this means the feature was implemented mistakenly, which is a bug.
Comment 3 Miciah Dashiel Butler Masters 2022-07-07 19:27:09 UTC 
We will handle this as a BZ.
Comment 6 Arvind iyengar 2022-07-18 06:21:43 UTC 
Verified in "4.12.0-0.nightly-2022-07-17-174647" release. With this payload, it is observed that the "Private" type ingresscontroller allows the "PROXY" option to be set correctly in the pod configuration:
------
oc get clusterversion           
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.12.0-0.nightly-2022-07-17-174647   True        False         3h22m   Cluster version is 4.12.0-0.nightly-2022-07-17-174647

oc -n openshift-ingress-operator get ingresscontroller internalapps -o jsonpath={.spec} | jq
{
  "clientTLS": {
    "clientCA": {
      "name": ""
    },
    "clientCertificatePolicy": ""
  },
  "domain": "internalapps.aiyengar412qq.qe.azure.devcluster.openshift.com",
  "endpointPublishingStrategy": {
    "private": {
      "protocol": "PROXY"
    },
    "type": "Private"
  },


oc -n openshift-ingress get pods -o wide                                 
NAME                                   READY   STATUS    RESTARTS   AGE     IP            NODE                                               NOMINATED NODE   READINESS GATES
router-internalapps-57df5858b6-5885h   2/2     Running   0          37s     10.131.0.20   aiyengar412qq-7mm4j-worker-southcentralus1-t8lbw   <none>           <none>
router-internalapps-57df5858b6-znzqj   2/2     Running   0          37s     10.128.2.20   aiyengar412qq-7mm4j-worker-southcentralus3-9z2tv   <none>           <none>


oc -n openshift-ingress exec router-internalapps-57df5858b6-5885h -- env | grep ROUTER_USE_PROXY_PROTOCOL
ROUTER_USE_PROXY_PROTOCOL=true


oc -n openshift-ingress exec router-internalapps-57df5858b6-5885h -- cat haproxy.config| grep -i 'accept-proxy'
  bind :80 accept-proxy
  bind :443 accept-proxy
------
Comment 10 Miciah Dashiel Butler Masters 2022-11-11 17:14:23 UTC 
We will be backporting the fix to 4.11.z and 4.10.z.
Comment 11 Pablo Alonso Rodriguez 2022-11-11 17:33:17 UTC 
Thanks
Comment 14 errata-xmlrpc 2023-01-17 19:51:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399
Note You need to log in before you can comment on or make changes to this bug.