Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Network Edge
Labels:
- PassthroughAuthentication
- TLS
- client
- edge
- ip
- istio
- openshift
- openshift-routes
- passthrough
- routes

Blocked:
False
Ready:
False
Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%
Release Note Text:
Undefined

SFDC Cases Counter:
SFDC Cases Links:

Description

1. Proposed title of this feature request

To retrieve clients' IP addresses when using TLS passthrough route in OCP 4.x

2. Who is the customer behind the request?

Account: VTB Bank (PJSC) (acct #1231932)
TAM customer: yes
Strategic: yes

3. What is the nature and description of the request?

The customer wants to fetch the client's IP in the case when the connection request is flowing through a passthrough route. However, the customer is able to retrieve the IP addresses in case of an edge route.

4. Why does the customer need this? (List the business requirements here)

According to the customers' security requirements, it is necessary to obtain a client's IP, while not transferring traffic termination to an iron balancer. Since the customer actively uses istio there, mtls mode is enabled, if they would have used edge route things might have been easier, but the customer is getting errors while implementing the scenario for the passthrough route. As for now, the customer uses the edge route and it would be nice to fix it.

5. How would the customer like to achieve this? (List the functional requirements here)

The customer tried the following steps to implement/reproduce the scenario in OCP 4.7, 4.7, and 4.8 clusters:
A. Copy the deployment from the router and gave it a different template
B. Added the below lines in the template.

{{- with $sendProxy := index $cfg.Annotations "haproxy.router.openshift.io/send-proxy" }}
{{- if (isTrue (index $cfg.Annotations "haproxy.router.openshift.io/send-proxy")) }} send-proxy {{- end }}
- end/* end send-proxy annotation */

add ENV TEMPLATE_FILE and mount ConfigMap

C. After this setup, the client's IP comes to the pod with Nginx used PROXY-PROTOCOL

6. For each functional requirement listed, specify how Red Hat and the customer can test to

We can test and confirm the requirement is successfully implemented by referring to the fact that if you try to get the client's IP when using both mtls and passthrough route then mtls works correctly except for the passthrough route since one certificate cannot be used for all projects. If we are getting the client's IP address using the passthrough route then the issue is resolved.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?
No

Attachments

Activity

People

Assignee:: Marc Curry

Reporter:: Mridul Markandey

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021/07/21 9:50 PM

Updated:: 2022/11/12 11:57 AM

Resolved:: 2022/08/09 10:26 AM