Skip to content

[release-4.18] OCPBUGS-86715: Add configuration override for X-SSL strip#1477

Merged
openshift-merge-bot[bot] merged 2 commits into
openshift:release-4.18from
MrSanketkumar:CVE-2026-46579-4.18
Jul 8, 2026
Merged

[release-4.18] OCPBUGS-86715: Add configuration override for X-SSL strip#1477
openshift-merge-bot[bot] merged 2 commits into
openshift:release-4.18from
MrSanketkumar:CVE-2026-46579-4.18

Conversation

@MrSanketkumar

@MrSanketkumar MrSanketkumar commented Jun 18, 2026

Copy link
Copy Markdown

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

Summary by CodeRabbit

  • New Features

    • Extended router configuration to support mutual TLS header filter overrides via unsupported config overrides, including setting or omitting the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable.
  • Tests

    • Added unit coverage to verify behavior when the override is unset, explicitly set to true/false, and when an invalid value is provided (ensuring stable deployment generation).

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 18, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86716, which is invalid:

  • expected the vulnerability to target either version "4.18." or "openshift-4.18.", but it targets "4.19.z" instead
  • expected dependent Jira Issue OCPBUGS-86717 to target a version in 4.19.0, 4.19.z, but it targets "4.20.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from frobware and rikatz June 18, 2026 09:28
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing
TLS termination and sending traffic to rotuer with these headers. While this topology
is not supported, there is a need for a knob to allow these users to rollback this validation
assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
@MrSanketkumar MrSanketkumar changed the title [release-4.18] OCPBUGS-86716: Add configuration override for X-SSL strip [release-4.18] OCPBUGS-86715: Add configuration override for X-SSL strip Jun 18, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cceb2c41-42cc-4a11-ab93-72b5f7b21f6e

📥 Commits

Reviewing files that changed from the base of the PR and between 82f6755 and 131994e.

📒 Files selected for processing (1)
  • pkg/operator/controller/ingress/deployment_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • pkg/operator/controller/ingress/deployment_test.go

Walkthrough

Adds support for a mutualTLSHeaderFilter unsupported config override in the router deployment controller. A new exported constant RouterMutualTLSHeaderFilter (ROUTER_MUTUAL_TLS_HEADER_FILTER) is introduced. When the override parses to false, the env var is injected into the router container. A table-driven test covers all input variants.

Changes

mutualTLSHeaderFilter Unsupported Config Override

Layer / File(s) Summary
Constant, struct field, and env var injection
pkg/operator/controller/ingress/deployment.go
Adds RouterMutualTLSHeaderFilter constant, extends the unsupportedConfigOverrides unmarshal struct with mutualTLSHeaderFilter, and conditionally appends ROUTER_MUTUAL_TLS_HEADER_FILTER=false to the router container env vars when the override parses to false.
Table-driven tests
pkg/operator/controller/ingress/deployment_test.go
Adds TestDesiredRouterDeploymentMutualTLSHeaderFilter with four cases (unset, false, true, invalid) to assert the env var is present or absent as expected.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

lgtm, approved, backport-risk-assessed, jira/valid-bug, verified

Suggested reviewers

  • grzpiotrowski
  • alebedev87
🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions 'X-SSL strip' but the implementation adds a 'mutualTLSHeaderFilter' override with no direct connection to X-SSL stripping mentioned in the code changes. Update the title to accurately reflect the actual implementation: 'Add configuration override for mutual TLS header filter' or similar, or clarify the relationship between X-SSL stripping and mutualTLSHeaderFilter in the PR description.
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (13 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR adds standard Go tests (not Ginkgo tests) with stable, deterministic table-driven test case names ("not-set", "set-to-false", "set-to-true", "set-to-invalid-value") containing no dynamic val...
Test Structure And Quality ✅ Passed The custom check targets Ginkgo test code, but the added test uses standard Go testing (t *testing.T), not Ginkgo, making the check inapplicable to this PR.
Microshift Test Compatibility ✅ Passed The PR adds a standard Go unit test (TestDesiredRouterDeploymentMutualTLSHeaderFilter) using *testing.T, not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests added. PR adds only a standard Go unit test (TestDesiredRouterDeploymentMutualTLSHeaderFilter) in pkg/operator/controller/ingress/deployment_test.go.
Topology-Aware Scheduling Compatibility ✅ Passed The PR adds a configuration override for X-SSL header filtering by introducing a constant, struct field, and conditional environment variable setting. It contains no scheduling constraints (affinit...
Ote Binary Stdout Contract ✅ Passed PR modifications contain no process-level stdout writes: no main(), init(), or TestMain() functions; standard Go tests with no Ginkgo suite setup; no fmt.Print* or klog calls to stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The PR adds standard Go unit tests (using *testing.T), not Ginkgo e2e tests. No Ginkgo imports (It(), Describe(), Context(), When()) are present in the test file.
No-Weak-Crypto ✅ Passed No weak cryptography patterns found. Changes only add config override handling using strconv.ParseBool(), environment variable setting, and corresponding tests; no crypto algorithms, custom impleme...
Container-Privileges ✅ Passed PR only modifies Go source files to add environment variable configuration for X-SSL header filtering. No container security context, privileged settings, hostPID, hostNetwork, hostIPC, or capabili...
No-Sensitive-Data-In-Logs ✅ Passed Pull request adds RouterMutualTLSHeaderFilter configuration without logging sensitive data. Only new code logs boolean "false" value, no passwords, tokens, keys, PII, or secrets exposed in logs.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@MrSanketkumar

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
pkg/operator/controller/ingress/deployment.go (1)

540-545: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Boolean-shaped override currently rejects JSON booleans.

At Line 541 the field is typed as string, so input like {"mutualTLSHeaderFilter": false} causes unmarshal failure at Line 545 before the parse logic at Line 624 runs. That makes this override brittle for a boolean knob.

Proposed fix (accept bool and string forms)
 var unsupportedConfigOverrides struct {
 	LoadBalancingAlgorithm string `json:"loadBalancingAlgorithm"`
 	DynamicConfigManager   string `json:"dynamicConfigManager"`
 	ContStats              string `json:"contStats"`
 	MaxDynamicServers      string `json:"maxDynamicServers"`
-	MutualTLSHeaderFilter  string `json:"mutualTLSHeaderFilter"`
+	MutualTLSHeaderFilter  json.RawMessage `json:"mutualTLSHeaderFilter"`
 }

+parseBoolOverride := func(raw json.RawMessage) (bool, bool) {
+	if len(raw) == 0 {
+		return false, false
+	}
+	// native JSON bool
+	var b bool
+	if err := json.Unmarshal(raw, &b); err == nil {
+		return b, true
+	}
+	// string bool for backward compatibility
+	var s string
+	if err := json.Unmarshal(raw, &s); err == nil {
+		if v, err := strconv.ParseBool(s); err == nil {
+			return v, true
+		}
+	}
+	return false, false
+}
+
-if v, err := strconv.ParseBool(unsupportedConfigOverrides.MutualTLSHeaderFilter); err == nil && !v {
+if v, ok := parseBoolOverride(unsupportedConfigOverrides.MutualTLSHeaderFilter); ok && !v {
 	env = append(env, corev1.EnvVar{
 		Name:  RouterMutualTLSHeaderFilter,
 		Value: "false",
 	})
 }

Also applies to: 624-629

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/controller/ingress/deployment.go` around lines 540 - 545, The
MutualTLSHeaderFilter field in the unsupportedConfigOverrides struct is typed as
string, which causes JSON unmarshaling to fail when users provide JSON boolean
values (true/false) instead of strings. Change the field type from string to a
type that can accept both boolean and string JSON values (such as interface{} or
a custom type with a custom JSON unmarshaler), and update the parsing logic
around line 624-629 to handle both boolean and string forms when processing the
MutualTLSHeaderFilter value.
🧹 Nitpick comments (1)
pkg/operator/controller/ingress/deployment_test.go (1)

1240-1241: ⚡ Quick win

Use the shared env-var constant in expectations.

Replace the repeated string literal with RouterMutualTLSHeaderFilter to keep the test aligned with production naming.

Suggested refactor
 expectedEnv: []envData{
-	{"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""},
+	{RouterMutualTLSHeaderFilter, false, ""},
 },

 expectedEnv: []envData{
-	{"ROUTER_MUTUAL_TLS_HEADER_FILTER", true, "false"},
+	{RouterMutualTLSHeaderFilter, true, "false"},
 },

 expectedEnv: []envData{
-	{"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""},
+	{RouterMutualTLSHeaderFilter, false, ""},
 },

 expectedEnv: []envData{
-	{"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""},
+	{RouterMutualTLSHeaderFilter, false, ""},
 },

Also applies to: 1247-1248, 1254-1255, 1261-1262

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/controller/ingress/deployment_test.go` around lines 1240 - 1241,
Replace all occurrences of the string literal "ROUTER_MUTUAL_TLS_HEADER_FILTER"
with the shared constant RouterMutualTLSHeaderFilter throughout the test
expectations. This includes the instances in the test assertions at the
locations mentioned (lines around 1240-1241, 1247-1248, 1254-1255, and
1261-1262) to maintain consistency with production naming and reduce duplication
of magic strings in the test file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/operator/controller/ingress/deployment.go`:
- Around line 540-545: The MutualTLSHeaderFilter field in the
unsupportedConfigOverrides struct is typed as string, which causes JSON
unmarshaling to fail when users provide JSON boolean values (true/false) instead
of strings. Change the field type from string to a type that can accept both
boolean and string JSON values (such as interface{} or a custom type with a
custom JSON unmarshaler), and update the parsing logic around line 624-629 to
handle both boolean and string forms when processing the MutualTLSHeaderFilter
value.

---

Nitpick comments:
In `@pkg/operator/controller/ingress/deployment_test.go`:
- Around line 1240-1241: Replace all occurrences of the string literal
"ROUTER_MUTUAL_TLS_HEADER_FILTER" with the shared constant
RouterMutualTLSHeaderFilter throughout the test expectations. This includes the
instances in the test assertions at the locations mentioned (lines around
1240-1241, 1247-1248, 1254-1255, and 1261-1262) to maintain consistency with
production naming and reduce duplication of magic strings in the test file.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bd24a479-ba35-4d32-8b80-168692b00ad2

📥 Commits

Reviewing files that changed from the base of the PR and between 7ec6093 and 82f6755.

📒 Files selected for processing (2)
  • pkg/operator/controller/ingress/deployment.go
  • pkg/operator/controller/ingress/deployment_test.go

@MrSanketkumar

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@MrSanketkumar

Copy link
Copy Markdown
Author

/retest-required

@MrSanketkumar

Copy link
Copy Markdown
Author

/hold

This PR should be merged first : openshift/router#800

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 18, 2026
@openshift-ci

openshift-ci Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Miciah

Miciah commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

This is a clean cherry-pick of #1476.

/approve
/lgtm

This is a low-risk backport PR. The assessment for the release-4.21 backport #1471 (comment) applies equally to the release-4.18 backport.

/label backport-risk-assessed

@openshift-ci openshift-ci Bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jun 27, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 27, 2026
@openshift-ci

openshift-ci Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 27, 2026
@Miciah Miciah removed the request for review from frobware June 27, 2026 17:48
@Miciah Miciah removed the request for review from rikatz June 27, 2026 17:48
@UdayYendva

Copy link
Copy Markdown

I created a cluster using the build that contains the merged fix from PR #1477.

ClusterVersion:

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0-2026-06-30-070942-test-ci-ln-pn0b2d2-latest   True        False         30m     Cluster version is 4.18.0-0-2026-06-30-070942-test-ci-ln-pn0b2d2-latest

Validation of ROUTER_MUTUAL_TLS_HEADER_FILTER

  1. Verify default behavior

Initially, I checked whether the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable was present in the router deployment:

oc describe deployment/router-default | grep ROUTER_MUTUAL_TLS_HEADER_FILTER

Result: No output.

This is expected because the default value is not explicitly rendered in the deployment.

I then checked the running router pods:

oc get pods
NAME                              READY   STATUS    RESTARTS   AGE
router-default-598fcb5984-fpqrn   1/1     Running   0          2m32s
router-default-598fcb5984-pnl9b   1/1     Running   0          2m32s

Inspecting one of the newly created router pods:

oc get pod/router-default-598fcb5984-fpqrn -o yaml | grep ROUTER_MUTUAL_TLS_HEADER_FILTER -A 1

Result: No output.

This is also expected because the environment variable is omitted when using the default value.

  1. Set ROUTER_MUTUAL_TLS_HEADER_FILTER=false

After explicitly configuring:

oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"false"}}}'
ingresscontroller.operator.openshift.io/default patched

I verified that the deployment was updated accordingly:

oc describe deployment/router-default | grep ROUTER_MUTUAL_TLS_HEADER_FILTER
      ROUTER_MUTUAL_TLS_HEADER_FILTER:           false

The router deployment then rolled out updated pods.

Checking the router pod configuration:

oc get pod/router-default-598fcb5984-fpqrn -o yaml | grep ROUTER_MUTUAL_TLS_HEADER_FILTER -A 1

- name: ROUTER_MUTUAL_TLS_HEADER_FILTER
  value: "false"

With the default value set to true, the router filters the mutual TLS headers, preventing users from leveraging the HTTP request header stripping functionality introduced in PR #800.

When ROUTER_MUTUAL_TLS_HEADER_FILTER is explicitly set to false, the filtering behavior is disabled, allowing users to access and utilize the HTTP request header stripping functionality that was implemented in PR #800.

The validation confirmed that:

By default, the environment variable is configured with a value of true.
When the value is changed to false, the updated configuration is propagated to the router deployment and router pods.
/verified by ci

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@UdayYendva: This PR has been marked as verified by ci.

Details

In response to this:

I created a cluster using the build that contains the merged fix from PR #1477.

ClusterVersion:

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0-2026-06-30-070942-test-ci-ln-pn0b2d2-latest   True        False         30m     Cluster version is 4.18.0-0-2026-06-30-070942-test-ci-ln-pn0b2d2-latest

Validation of ROUTER_MUTUAL_TLS_HEADER_FILTER

  1. Verify default behavior

Initially, I checked whether the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable was present in the router deployment:

oc describe deployment/router-default | grep ROUTER_MUTUAL_TLS_HEADER_FILTER

Result: No output.

This is expected because the default value is not explicitly rendered in the deployment.

I then checked the running router pods:

oc get pods
NAME                              READY   STATUS    RESTARTS   AGE
router-default-598fcb5984-fpqrn   1/1     Running   0          2m32s
router-default-598fcb5984-pnl9b   1/1     Running   0          2m32s

Inspecting one of the newly created router pods:

oc get pod/router-default-598fcb5984-fpqrn -o yaml | grep ROUTER_MUTUAL_TLS_HEADER_FILTER -A 1

Result: No output.

This is also expected because the environment variable is omitted when using the default value.

  1. Set ROUTER_MUTUAL_TLS_HEADER_FILTER=false

After explicitly configuring:

oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"false"}}}'
ingresscontroller.operator.openshift.io/default patched

I verified that the deployment was updated accordingly:

oc describe deployment/router-default | grep ROUTER_MUTUAL_TLS_HEADER_FILTER
     ROUTER_MUTUAL_TLS_HEADER_FILTER:           false

The router deployment then rolled out updated pods.

Checking the router pod configuration:

oc get pod/router-default-598fcb5984-fpqrn -o yaml | grep ROUTER_MUTUAL_TLS_HEADER_FILTER -A 1

- name: ROUTER_MUTUAL_TLS_HEADER_FILTER
 value: "false"

With the default value set to true, the router filters the mutual TLS headers, preventing users from leveraging the HTTP request header stripping functionality introduced in PR #800.

When ROUTER_MUTUAL_TLS_HEADER_FILTER is explicitly set to false, the filtering behavior is disabled, allowing users to access and utilize the HTTP request header stripping functionality that was implemented in PR #800.

The validation confirmed that:

By default, the environment variable is configured with a value of true.
When the value is changed to false, the updated configuration is propagated to the router deployment and router pods.
/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@MrSanketkumar

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Miciah

Miciah commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@MrSanketkumar, do you mind if I add a /label tide/merge-method-squash? (Or if you can add it yourself or manually squash the commits if that is all right with you.) Ideally each individual commit should build and pass make test verify.

@Miciah

Miciah commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Also, the two commits confused me for a while while I was reviewing the various backports — it took me a while to figure out that you were adding a test and then fixing it in separate commits in this PR but squashed those commits in #1486.

@MrSanketkumar

Copy link
Copy Markdown
Author

/label tide/merge-method-squash

@openshift-ci openshift-ci Bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jul 7, 2026
@MrSanketkumar

Copy link
Copy Markdown
Author

@Miciah I've added the squash label here. Hope this helps in this case.

@MrSanketkumar

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 8, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is valid.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.z) matches configured target version for branch (4.18.z)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-86716 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-86716 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@MrSanketkumar

Copy link
Copy Markdown
Author

/unhold

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 8, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit fa958db into openshift:release-4.18 Jul 8, 2026
12 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: Jira Issue Verification Checks: Jira Issue OCPBUGS-86715
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-86715 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

Summary by CodeRabbit

  • New Features

  • Extended router configuration to support mutual TLS header filter overrides via unsupported config overrides, including setting or omitting the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable.

  • Tests

  • Added unit coverage to verify behavior when the override is unset, explicitly set to true/false, and when an invalid value is provided (ensuring stable deployment generation).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot

Copy link
Copy Markdown
Contributor

Fix included in release 4.18.0-0.nightly-2026-07-08-092428

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants