[release-4.16] OCPBUGS-86713: Add configuration override for X-SSL strip#1487
Conversation
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to router with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86713, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
/hold This PR should be merged first : openshift/router#805 |
|
/retest-required |
|
/test e2e-hypershift |
|
I created a cluster using the build that contains the merged fix from PR #1487. ClusterVersion: Validation of ROUTER_MUTUAL_TLS_HEADER_FILTER
Initially, I checked whether the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable was present in the router deployment: This is expected because the default value is not explicitly rendered in the deployment. I then checked the running router pods: Inspecting one of the newly created router pods: This is also expected because the environment variable is omitted when using the default value.
After explicitly configuring: I verified that the deployment was updated accordingly: The router deployment then rolled out updated pods. Checking the router pod configuration: With the default value set to true, the router filters the mutual TLS headers, preventing users from leveraging the HTTP request header stripping functionality introduced in PR openshift/router#805. When ROUTER_MUTUAL_TLS_HEADER_FILTER is explicitly set to false, the filtering behavior is disabled, allowing users to access and utilize the HTTP request header stripping functionality that was implemented in PR #openshift/router#805. The validation confirmed that: By default, the environment variable is configured with a value of true. |
|
@UdayYendva: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test e2e-hypershift |
|
@MrSanketkumar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
This is a clean cherry-pick of #1486. /approve This is a low-risk backport PR. The assessment for the release-4.21 backport #1471 (comment) applies equally to the release-4.16 backport. /label backport-risk-assessed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86713, which is valid. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/unhold |
486cf49
into
openshift:release-4.16
|
@MrSanketkumar: Jira Issue Verification Checks: Jira Issue OCPBUGS-86713 Jira Issue OCPBUGS-86713 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Fix included in release 4.16.0-0.nightly-2026-07-09-201356 |
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to router with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener