Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 4.11.0
Affects Version/s: 4.11
Component/s: Networking / router
Labels:
None

Severity:
Moderate
Story Points:
2
Sprint:
Sprint 224, Sprint 225, Sprint 226
sprint_count:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Cause: A change to the HAProxy configuration template in OpenShift 4.8 caused the "accept-proxy" option not to be set on all "bind" lines when the configuration had more than one "bind".

Consequence: On dual-stack clusters with PROXY protocol configured, PROXY protocol was only enabled for IPv6 and was not enabled for IPv4.

Fix: The HAProxy configuration template was corrected to set "accept-proxy" on every "bind" line when PROXY protocol is configured.

Result: OpenShift now enables PROXY protocol for both IPv4 and IPv6 on dual-stack clusters with PROXY protocol configured.

Show
Cause: A change to the HAProxy configuration template in OpenShift 4.8 caused the "accept-proxy" option not to be set on all "bind" lines when the configuration had more than one "bind". Consequence: On dual-stack clusters with PROXY protocol configured, PROXY protocol was only enabled for IPv6 and was not enabled for IPv4. Fix: The HAProxy configuration template was corrected to set "accept-proxy" on every "bind" line when PROXY protocol is configured. Result: OpenShift now enables PROXY protocol for both IPv4 and IPv6 on dual-stack clusters with PROXY protocol configured.
Target Version:

4.9.z

SFDC Cases Counter:
SFDC Cases Links:

Description

+++ This bug was initially created as a clone of Bug #2093454 +++

Description of problem:
There is a logic error in the haproxy template code that the "accept-proxy" specifier doesn't get appropriately applied to both IPv4 and IPv6 haproxy interfaces if BOTH IPv4 and IPv6 are enabled.

The "accept-proxy" specifier is added via when the ENV variable ROUTER_USE_PROXY_PROTOCOL is true.

OpenShift release version:
4.11

Cluster Platform:
All

How reproducible:
Always

Steps to Reproduce (in detail):
1. Enable IPv4 and IPv6 via ROUTER_IP_V4_V6_MODE="v4v6" on router deployment
2. Set ROUTER_USE_PROXY_PROTOCOL to true on router deployment
3. RSH into router and confirm that "accept-proxy" is on both "bind :<PORT>" and "bind :::<PORT>" lines for "frontend public" and "frontend public_ssl"


Actual results:
"accept-proxy" is only on "bind :::<PORT>" and missing from "bind :<PORT>"

Expected results:
"accept-proxy" should be on both "bind :<PORT>" and "bind :::<PORT>"

Impact of the problem:
Can't have a dual stack IPv4 and IPv6 configuration with "accept-protocol" on both stacks.

Attachments

Issue Links

clones

OCPBUGS-1337 Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters

Closed

is blocked by

OCPBUGS-1339 Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters

Closed

links to

openshift/router#416: [[release-4.9] OCPBUGS-1338: HAProxy: enable PROXY protocol for all listeners](https://github.com/openshift/router/pull/416#top)

Activity

People

Assignee:: Grant Spence

Reporter:: Grant Spence

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/09/14 9:07 PM

Updated:: 2022/10/25 7:02 PM

Resolved:: 2022/10/19 7:52 PM