Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2015

To retrieve clients IP addresses when using TLS passthrough route in OCP 4.x



    • False
    • False
    • Undefined


      1. Proposed title of this feature request

      To retrieve clients' IP addresses when using TLS passthrough route in OCP 4.x

      2. Who is the customer behind the request?

      Account: VTB Bank (PJSC) (acct #1231932)
      TAM customer: yes
      Strategic: yes

      3. What is the nature and description of the request?

      The customer wants to fetch the client's IP in the case when the connection request is flowing through a passthrough route. However, the customer is able to retrieve the IP addresses in case of an edge route.

      4. Why does the customer need this? (List the business requirements here)

      According to the customers' security requirements, it is necessary to obtain a client's IP, while not transferring traffic termination to an iron balancer. Since the customer actively uses istio there, mtls mode is enabled, if they would have used edge route things might have been easier, but the customer is getting errors while implementing the scenario for the passthrough route. As for now, the customer uses the edge route and it would be nice to fix it.

      5. How would the customer like to achieve this? (List the functional requirements here)

      The customer tried the following steps to implement/reproduce the scenario in OCP 4.7, 4.7, and 4.8 clusters:
      A. Copy the deployment from the router and gave it a different template
      B. Added the below lines in the template.

      {{- with $sendProxy := index $cfg.Annotations "haproxy.router.openshift.io/send-proxy" }}
      {{- if (isTrue (index $cfg.Annotations "haproxy.router.openshift.io/send-proxy")) }} send-proxy {{- end }}
      - end/* end send-proxy annotation */

      add ENV TEMPLATE_FILE and mount ConfigMap

      C. After this setup, the client's IP comes to the pod with Nginx used PROXY-PROTOCOL

      6. For each functional requirement listed, specify how Red Hat and the customer can test to

      We can test and confirm the requirement is successfully implemented by referring to the fact that if you try to get the client's IP when using both mtls and passthrough route then mtls works correctly except for the passthrough route since one certificate cannot be used for all projects. If we are getting the client's IP address using the passthrough route then the issue is resolved.

      7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

      8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?




            mcurry@redhat.com Marc Curry
            rhn-support-mmarkand Mridul Markandey
            0 Vote for this issue
            2 Start watching this issue