Skip to content

OCPBUGS-87205: Add configuration override for X-SSL strip#1465

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
rikatz:ocpbugs-87205
Jun 9, 2026
Merged

OCPBUGS-87205: Add configuration override for X-SSL strip#1465
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
rikatz:ocpbugs-87205

Conversation

@rikatz

@rikatz rikatz commented Jun 8, 2026

Copy link
Copy Markdown
Member

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

This PR should be merged after openshift/router#787

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jun 8, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

@rikatz: This pull request references Jira Issue OCPBUGS-87205, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

This PR should be merged after openshift/router#787

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7e69a65d-beff-4d6b-a082-90ee4fd05a87

📥 Commits

Reviewing files that changed from the base of the PR and between 365f7dd and 77b06b5.

📒 Files selected for processing (2)
  • pkg/operator/controller/ingress/deployment.go
  • pkg/operator/controller/ingress/deployment_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • pkg/operator/controller/ingress/deployment.go
  • pkg/operator/controller/ingress/deployment_test.go
📝 Walkthrough

Walkthrough

This PR adds support for a new mutualTLSHeaderFilter override in unsupportedConfigOverrides. It introduces the exported constant RouterMutualTLSHeaderFilter, extends the unsupportedConfigOverrides struct to include MutualTLSHeaderFilter, and updates desiredRouterDeployment to parse that field and inject ROUTER_MUTUAL_TLS_HEADER_FILTER=false into the router container only when the override parses successfully to false. A table-driven unit test covers no override, "false", "true", and invalid values.

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ❓ Inconclusive Custom check specifies Ginkgo test code review, but this codebase uses standard Go testing framework, not Ginkgo. Check is misaligned with actual testing approach. Clarify if check applies to standard Go tests instead of Ginkgo tests, as codebase uses Go's testing.T with table-driven tests.
✅ Passed checks (13 passed)
Check name Status Explanation
Title check ✅ Passed The title references OCPBUGS-87205 and mentions adding a configuration override for X-SSL stripping, which aligns with the changeset that adds a RouterMutualTLSHeaderFilter configuration override for controlling router behavior on TLS headers.
Description check ✅ Passed The description explains the context of router X-SSL header stripping and the need for a configuration knob, which directly relates to the changes that add the RouterMutualTLSHeaderFilter configuration override functionality.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Ginkgo check not applicable—file uses standard Go testing (t.Run), not Ginkgo syntax. Test subtitles are static: "not-set", "set-to-false", "set-to-true", "set-to-invalid-value".
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added. The PR only adds a standard Go unit test (TestDesiredRouterDeploymentMutualTLSHeaderFilter) to deployment_test.go using t *testing.T, not Ginkgo DSL.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds only standard Go unit tests in pkg/operator/controller/, not Ginkgo e2e tests. SNO check applies only to new Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility ✅ Passed PR adds environment variable configuration override for header filtering; no scheduling constraints (affinity, anti-affinity, topology spread, PDBs, node selectors) are introduced or modified.
Ote Binary Stdout Contract ✅ Passed PR adds a constant and test with no stdout writes in process-level code. New constant is a string literal; test uses standard Go testing with assert calls.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed This PR adds only standard Go unit tests (using testing.T), not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests, so it is not applicable.
No-Weak-Crypto ✅ Passed PR adds TLS header filter configuration override without weak cryptography. No MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or insecure secret comparisons detected.
Container-Privileges ✅ Passed PR adds only an environment variable configuration override with no privileged settings, capabilities escalation, or security context changes introduced.
No-Sensitive-Data-In-Logs ✅ Passed No sensitive data logging found. The code parses a config override and sets an environment variable without logging configuration values, credentials, tokens, or PII.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot requested review from candita and davidesalerno June 8, 2026 15:26
coderabbitai[bot]
coderabbitai Bot reviewed Jun 8, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/operator/controller/ingress/deployment_test.go (1)

1551-1557: ⚡ Quick win

Use assert for this test’s error checks and short-circuit follow-on assertions.

Line 1551 and Line 1556 use t.Error, which keeps running after an unexpected setup failure. Prefer assert.NoError here to match repo test conventions and avoid cascading failures.

Suggested update 
-			deployment, err := desiredRouterDeployment(ic, &Config{IngressControllerImage: ingressControllerImage}, &configv1.Ingress{}, &configv1.Infrastructure{}, &configv1.APIServer{}, &configv1.Network{}, nil, false, false, nil, &configv1.Proxy{})
-			if err != nil {
-				t.Error(err)
-			}
-
-			if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil {
-				t.Error(err)
-			}
+			deployment, err := desiredRouterDeployment(ic, &Config{IngressControllerImage: ingressControllerImage}, &configv1.Ingress{}, &configv1.Infrastructure{}, &configv1.APIServer{}, &configv1.Network{}, nil, false, false, nil, &configv1.Proxy{})
+			if assert.NoError(t, err) {
+				assert.NoError(t, checkDeploymentEnvironment(t, deployment, tc.expectedEnv))
+			}

As per coding guidelines, **/*_test.go should use github.com/stretchr/testify/assert for assertions.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/controller/ingress/deployment_test.go` around lines 1551 - 1557,
Replace the non-fatal t.Error checks in this test with testify assertions that
short-circuit: import "github.com/stretchr/testify/assert" in
pkg/operator/controller/ingress/deployment_test.go, then change the error checks
around the Deployment setup and verification to use assert.NoError(t, err, ...)
so the test stops on setup failures and subsequent assertions (like the call to
checkDeploymentEnvironment) are not executed after an unexpected error; keep the
call to checkDeploymentEnvironment but wrap its error check as assert.NoError(t,
err) as well to follow repo test conventions.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/operator/controller/ingress/deployment_test.go`:
- Around line 1551-1557: Replace the non-fatal t.Error checks in this test with
testify assertions that short-circuit: import
"github.com/stretchr/testify/assert" in
pkg/operator/controller/ingress/deployment_test.go, then change the error checks
around the Deployment setup and verification to use assert.NoError(t, err, ...)
so the test stops on setup failures and subsequent assertions (like the call to
checkDeploymentEnvironment) are not executed after an unexpected error; keep the
call to checkDeploymentEnvironment but wrap its error check as assert.NoError(t,
err) as well to follow repo test conventions.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b3db2192-6a76-446a-aeaf-869982fede6b

📥 Commits

Reviewing files that changed from the base of the PR and between 140e0bf and 6e74ea3.

📒 Files selected for processing (2)
  • pkg/operator/controller/ingress/deployment.go
  • pkg/operator/controller/ingress/deployment_test.go

Miciah
Miciah reviewed Jun 8, 2026
View reviewed changes

@Miciah Miciah left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just one suggested minor cleanup.

/approve
/lgtm

Comment thread pkg/operator/controller/ingress/deployment_test.go Outdated
Comment on lines +1551 to +1557
if err != nil {
t.Error(err)
}

if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil {
t.Error(err)
}

@Miciah Miciah Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if err != nil {
t.Error(err)
}
if err := checkDeploymentEnvironment(t, deployment, tc.expectedEnv); err != nil {
t.Error(err)
}
assert.NoError(t, err)
assert.NoError(t, checkDeploymentEnvironment(t, deployment, tc.expectedEnv))

Edit: Sorry, CodeRabbit already made the same suggestion here: #1465 (review)

@rikatz rikatz Jun 8, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 8, 2026
@openshift-ci

openshift-ci Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 8, 2026
@rikatz

rikatz commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 8, 2026
@rikatz
OCPBUGS-87205: Add configuration override for X-SSL strip
77b06b5 
Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing
TLS termination and sending traffic to rotuer with these headers. While this topology
is not supported, there is a need for a knob to allow these users to rollback this validation
assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jun 8, 2026
@rikatz

rikatz commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 8, 2026
@Miciah

Miciah commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Thanks!
/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 9, 2026
@rikatz

rikatz commented Jun 9, 2026

Copy link
Copy Markdown
Member Author

/retest-required

@openshift-ci-robot openshift-ci-robot mentioned this pull request Jun 9, 2026
Merged
@rhamini3

rhamini3 commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Confirmed on 5.0.0 clusterbot the behavior and changes are expected

Unset override
% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL
%

Override set to False
% oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"false"}}}'
ingresscontroller.operator.openshift.io/default patched

spec:
  clientTLS:
    clientCA:
      name: ""
    clientCertificatePolicy: ""
  closedClientConnectionPolicy: Continue
  httpCompression: {}
  httpEmptyRequestsPolicy: Respond
  httpErrorCodePages:
    name: ""
  idleConnectionTerminationPolicy: Immediate
  replicas: 2
  tuningOptions:
    reloadInterval: 0s
  unsupportedConfigOverrides:
    mutualTLSHeaderFilter: "false"

% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL -A3 
          - name: ROUTER_MUTUAL_TLS_HEADER_FILTER
            value: "false"

Override set to true
% oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"true"}}}' 
ingresscontroller.operator.openshift.io/default patched

spec:
  clientTLS:
    clientCA:
      name: ""
    clientCertificatePolicy: ""
  closedClientConnectionPolicy: Continue
  httpCompression: {}
  httpEmptyRequestsPolicy: Respond
  httpErrorCodePages:
    name: ""
  idleConnectionTerminationPolicy: Immediate
  replicas: 2
  tuningOptions:
    reloadInterval: 0s
  unsupportedConfigOverrides:
    mutualTLSHeaderFilter: "true"

% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL -A3 
%

Confirmed that the router env var is only present if mutualTLSHeaderFilter=false
/verified by @rhamini3

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 9, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@rhamini3: This PR has been marked as verified by @rhamini3.

Details

In response to this:

Confirmed on 5.0.0 clusterbot the behavior and changes are expected

Unset override
% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL
%

Override set to False
% oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"false"}}}'
ingresscontroller.operator.openshift.io/default patched

spec:
 clientTLS:
   clientCA:
     name: ""
   clientCertificatePolicy: ""
 closedClientConnectionPolicy: Continue
 httpCompression: {}
 httpEmptyRequestsPolicy: Respond
 httpErrorCodePages:
   name: ""
 idleConnectionTerminationPolicy: Immediate
 replicas: 2
 tuningOptions:
   reloadInterval: 0s
 unsupportedConfigOverrides:
   mutualTLSHeaderFilter: "false"

% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL -A3 
         - name: ROUTER_MUTUAL_TLS_HEADER_FILTER
           value: "false"

Override set to true
% oc patch ingresscontroller default -n openshift-ingress-operator --type=merge -p '{"spec":{"unsupportedConfigOverrides":{"mutualTLSHeaderFilter":"true"}}}' 
ingresscontroller.operator.openshift.io/default patched

spec:
 clientTLS:
   clientCA:
     name: ""
   clientCertificatePolicy: ""
 closedClientConnectionPolicy: Continue
 httpCompression: {}
 httpEmptyRequestsPolicy: Respond
 httpErrorCodePages:
   name: ""
 idleConnectionTerminationPolicy: Immediate
 replicas: 2
 tuningOptions:
   reloadInterval: 0s
 unsupportedConfigOverrides:
   mutualTLSHeaderFilter: "true"

% oc -n openshift-ingress get deployment -o yaml | grep ROUTER_MUTUAL -A3 
%

Confirmed that the router env var is only present if mutualTLSHeaderFilter=false
/verified by @rhamini3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot

openshift-merge-bot Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 5f559ae and 2 for PR HEAD 77b06b5 in total

@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@rikatz: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit e1c32f8 into openshift:master Jun 9, 2026
20 checks passed
@openshift-ci-robot

openshift-ci-robot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@rikatz: Jira Issue Verification Checks: Jira Issue OCPBUGS-87205
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-87205 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Router strips X-SSL headers from HTTP listeners. In some cases a Load Balancer may be doing TLS termination and sending traffic to rotuer with these headers. While this topology is not supported, there is a need for a knob to allow these users to rollback this validation assuming the risks of allowing the router to accept the X-SSL headers on the HTTP listener

This PR should be merged after openshift/router#787

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot

openshift-merge-robot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Fix included in release 5.0.0-0.nightly-2026-06-10-061513

@coderabbitai coderabbitai Bot mentioned this pull request Jun 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Miciah Miciah Miciah left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@candita candita Awaiting requested review from candita

@davidesalerno davidesalerno Awaiting requested review from davidesalerno

Assignees

@Miciah Miciah

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rikatz @openshift-ci-robot @Miciah @rhamini3 @openshift-merge-robot