[release-4.18] OCPBUGS-86715: Add configuration override for X-SSL strip#1477
Conversation
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86716, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
0d1337b to
82f6755
Compare
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds support for a ChangesmutualTLSHeaderFilter Unsupported Config Override
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 13 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (13 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
pkg/operator/controller/ingress/deployment.go (1)
540-545:⚠️ Potential issue | 🟠 Major | ⚡ Quick winBoolean-shaped override currently rejects JSON booleans.
At Line 541 the field is typed as
string, so input like{"mutualTLSHeaderFilter": false}causes unmarshal failure at Line 545 before the parse logic at Line 624 runs. That makes this override brittle for a boolean knob.Proposed fix (accept bool and string forms)
var unsupportedConfigOverrides struct { LoadBalancingAlgorithm string `json:"loadBalancingAlgorithm"` DynamicConfigManager string `json:"dynamicConfigManager"` ContStats string `json:"contStats"` MaxDynamicServers string `json:"maxDynamicServers"` - MutualTLSHeaderFilter string `json:"mutualTLSHeaderFilter"` + MutualTLSHeaderFilter json.RawMessage `json:"mutualTLSHeaderFilter"` } +parseBoolOverride := func(raw json.RawMessage) (bool, bool) { + if len(raw) == 0 { + return false, false + } + // native JSON bool + var b bool + if err := json.Unmarshal(raw, &b); err == nil { + return b, true + } + // string bool for backward compatibility + var s string + if err := json.Unmarshal(raw, &s); err == nil { + if v, err := strconv.ParseBool(s); err == nil { + return v, true + } + } + return false, false +} + -if v, err := strconv.ParseBool(unsupportedConfigOverrides.MutualTLSHeaderFilter); err == nil && !v { +if v, ok := parseBoolOverride(unsupportedConfigOverrides.MutualTLSHeaderFilter); ok && !v { env = append(env, corev1.EnvVar{ Name: RouterMutualTLSHeaderFilter, Value: "false", }) }Also applies to: 624-629
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/operator/controller/ingress/deployment.go` around lines 540 - 545, The MutualTLSHeaderFilter field in the unsupportedConfigOverrides struct is typed as string, which causes JSON unmarshaling to fail when users provide JSON boolean values (true/false) instead of strings. Change the field type from string to a type that can accept both boolean and string JSON values (such as interface{} or a custom type with a custom JSON unmarshaler), and update the parsing logic around line 624-629 to handle both boolean and string forms when processing the MutualTLSHeaderFilter value.
🧹 Nitpick comments (1)
pkg/operator/controller/ingress/deployment_test.go (1)
1240-1241: ⚡ Quick winUse the shared env-var constant in expectations.
Replace the repeated string literal with
RouterMutualTLSHeaderFilterto keep the test aligned with production naming.Suggested refactor
expectedEnv: []envData{ - {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + {RouterMutualTLSHeaderFilter, false, ""}, }, expectedEnv: []envData{ - {"ROUTER_MUTUAL_TLS_HEADER_FILTER", true, "false"}, + {RouterMutualTLSHeaderFilter, true, "false"}, }, expectedEnv: []envData{ - {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + {RouterMutualTLSHeaderFilter, false, ""}, }, expectedEnv: []envData{ - {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + {RouterMutualTLSHeaderFilter, false, ""}, },Also applies to: 1247-1248, 1254-1255, 1261-1262
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/operator/controller/ingress/deployment_test.go` around lines 1240 - 1241, Replace all occurrences of the string literal "ROUTER_MUTUAL_TLS_HEADER_FILTER" with the shared constant RouterMutualTLSHeaderFilter throughout the test expectations. This includes the instances in the test assertions at the locations mentioned (lines around 1240-1241, 1247-1248, 1254-1255, and 1261-1262) to maintain consistency with production naming and reduce duplication of magic strings in the test file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@pkg/operator/controller/ingress/deployment.go`:
- Around line 540-545: The MutualTLSHeaderFilter field in the
unsupportedConfigOverrides struct is typed as string, which causes JSON
unmarshaling to fail when users provide JSON boolean values (true/false) instead
of strings. Change the field type from string to a type that can accept both
boolean and string JSON values (such as interface{} or a custom type with a
custom JSON unmarshaler), and update the parsing logic around line 624-629 to
handle both boolean and string forms when processing the MutualTLSHeaderFilter
value.
---
Nitpick comments:
In `@pkg/operator/controller/ingress/deployment_test.go`:
- Around line 1240-1241: Replace all occurrences of the string literal
"ROUTER_MUTUAL_TLS_HEADER_FILTER" with the shared constant
RouterMutualTLSHeaderFilter throughout the test expectations. This includes the
instances in the test assertions at the locations mentioned (lines around
1240-1241, 1247-1248, 1254-1255, and 1261-1262) to maintain consistency with
production naming and reduce duplication of magic strings in the test file.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: bd24a479-ba35-4d32-8b80-168692b00ad2
📒 Files selected for processing (2)
pkg/operator/controller/ingress/deployment.gopkg/operator/controller/ingress/deployment_test.go
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
/retest-required |
|
/hold This PR should be merged first : openshift/router#800 |
|
@MrSanketkumar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
This is a clean cherry-pick of #1476. /approve This is a low-risk backport PR. The assessment for the release-4.21 backport #1471 (comment) applies equally to the release-4.18 backport. /label backport-risk-assessed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I created a cluster using the build that contains the merged fix from PR #1477. ClusterVersion: Validation of ROUTER_MUTUAL_TLS_HEADER_FILTER
Initially, I checked whether the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable was present in the router deployment: This is expected because the default value is not explicitly rendered in the deployment. I then checked the running router pods: Inspecting one of the newly created router pods: This is also expected because the environment variable is omitted when using the default value.
After explicitly configuring: I verified that the deployment was updated accordingly: The router deployment then rolled out updated pods. Checking the router pod configuration: With the default value set to true, the router filters the mutual TLS headers, preventing users from leveraging the HTTP request header stripping functionality introduced in PR #800. When ROUTER_MUTUAL_TLS_HEADER_FILTER is explicitly set to false, the filtering behavior is disabled, allowing users to access and utilize the HTTP request header stripping functionality that was implemented in PR #800. The validation confirmed that: By default, the environment variable is configured with a value of true. |
|
@UdayYendva: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:
Comment DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@MrSanketkumar, do you mind if I add a |
|
Also, the two commits confused me for a while while I was reviewing the various backports — it took me a while to figure out that you were adding a test and then fixing it in separate commits in this PR but squashed those commits in #1486. |
|
/label tide/merge-method-squash |
|
@Miciah I've added the squash label here. Hope this helps in this case. |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/unhold |
fa958db
into
openshift:release-4.18
|
@MrSanketkumar: Jira Issue Verification Checks: Jira Issue OCPBUGS-86715 Jira Issue OCPBUGS-86715 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Fix included in release 4.18.0-0.nightly-2026-07-08-092428 |
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
Summary by CodeRabbit
New Features
ROUTER_MUTUAL_TLS_HEADER_FILTERenvironment variable.Tests
true/false, and when an invalid value is provided (ensuring stable deployment generation).