diff --git a/pkg/operator/controller/ingress/deployment.go b/pkg/operator/controller/ingress/deployment.go index 6638b18ad1..eb083d7b60 100644 --- a/pkg/operator/controller/ingress/deployment.go +++ b/pkg/operator/controller/ingress/deployment.go @@ -140,9 +140,10 @@ const ( WorkloadPartitioningManagement = "target.workload.openshift.io/management" - RouterClientAuthPolicy = "ROUTER_MUTUAL_TLS_AUTH" - RouterClientAuthCA = "ROUTER_MUTUAL_TLS_AUTH_CA" - RouterClientAuthFilter = "ROUTER_MUTUAL_TLS_AUTH_FILTER" + RouterClientAuthPolicy = "ROUTER_MUTUAL_TLS_AUTH" + RouterClientAuthCA = "ROUTER_MUTUAL_TLS_AUTH_CA" + RouterClientAuthFilter = "ROUTER_MUTUAL_TLS_AUTH_FILTER" + RouterMutualTLSHeaderFilter = "ROUTER_MUTUAL_TLS_HEADER_FILTER" RouterEnableCompression = "ROUTER_ENABLE_COMPRESSION" RouterCompressionMIMETypes = "ROUTER_COMPRESSION_MIME" @@ -577,7 +578,8 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, config *Config, i // Note, however, that dynamic servers consume memory even when not enabled. // Use this analysis of the memory usage to assess the impact of different numbers of servers: // https://gist.github.com/frobware/2b527ce3f040797909eff482a4776e0b - MaxDynamicServers string `json:"maxDynamicServers"` + MaxDynamicServers string `json:"maxDynamicServers"` + MutualTLSHeaderFilter string `json:"mutualTLSHeaderFilter"` } if len(ci.Spec.UnsupportedConfigOverrides.Raw) > 0 { if err := json.Unmarshal(ci.Spec.UnsupportedConfigOverrides.Raw, &unsupportedConfigOverrides); err != nil { @@ -663,6 +665,13 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, config *Config, i }) } + if v, err := strconv.ParseBool(unsupportedConfigOverrides.MutualTLSHeaderFilter); err == nil && !v { + env = append(env, corev1.EnvVar{ + Name: RouterMutualTLSHeaderFilter, + Value: "false", + }) + } + if len(ci.Status.Domain) > 0 { cName := "router-" + ci.Name + "." + ci.Status.Domain env = append(env, diff --git a/pkg/operator/controller/ingress/deployment_test.go b/pkg/operator/controller/ingress/deployment_test.go index 0f5e06cffd..7408d51ce4 100644 --- a/pkg/operator/controller/ingress/deployment_test.go +++ b/pkg/operator/controller/ingress/deployment_test.go @@ -1494,6 +1494,66 @@ func TestDesiredRouterDeploymentDynamicConfigManager(t *testing.T) { } } +func TestDesiredRouterDeploymentMutualTLSHeaderFilter(t *testing.T) { + testCases := []struct { + name string + unsupportedConfigOverrides string + expectedEnv []envData + }{ + { + name: "not-set", + unsupportedConfigOverrides: `{}`, + expectedEnv: []envData{ + {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + }, + }, + { + name: "set-to-false", + unsupportedConfigOverrides: `{"mutualTLSHeaderFilter":"false"}`, + expectedEnv: []envData{ + {"ROUTER_MUTUAL_TLS_HEADER_FILTER", true, "false"}, + }, + }, + { + name: "set-to-true", + unsupportedConfigOverrides: `{"mutualTLSHeaderFilter":"true"}`, + expectedEnv: []envData{ + {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + }, + }, + { + name: "set-to-invalid-value", + unsupportedConfigOverrides: `{"mutualTLSHeaderFilter":"banana"}`, + expectedEnv: []envData{ + {"ROUTER_MUTUAL_TLS_HEADER_FILTER", false, ""}, + }, + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + ic := &operatorv1.IngressController{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + }, + Spec: operatorv1.IngressControllerSpec{ + UnsupportedConfigOverrides: runtime.RawExtension{ + Raw: []byte(tc.unsupportedConfigOverrides), + }, + }, + Status: operatorv1.IngressControllerStatus{ + EndpointPublishingStrategy: &operatorv1.EndpointPublishingStrategy{ + Type: operatorv1.PrivateStrategyType, + }, + }, + } + + deployment, err := desiredRouterDeployment(ic, &Config{IngressControllerImage: ingressControllerImage}, &configv1.Ingress{}, &configv1.Infrastructure{}, &configv1.APIServer{}, &configv1.Network{}, nil, false, false, nil, &configv1.Proxy{}) + assert.NoError(t, err) + assert.NoError(t, checkDeploymentEnvironment(t, deployment, tc.expectedEnv)) + }) + } +} + func checkContainerPort(t *testing.T, d *appsv1.Deployment, portName string, port int32) { t.Helper() for _, p := range d.Spec.Template.Spec.Containers[0].Ports {