[release-4.14] OCPBUGS-86711: Strip X-SSL-* headers for plain HTTP#807
Conversation
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86711, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThe HAProxy config template adds conditional ChangesmTLS Header Stripping in HAProxy Frontends
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error)
✅ Passed checks (14 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
images/router/haproxy/conf/haproxy-config.template (1)
247-260: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winOptional: the identical 12-line strip block is repeated in all three frontends.
This security-critical list now lives in three places (here, 380-391, 510-521) and can silently drift out of sync with the
set-headerlist. A single{{- define }}/{{- template }}block would keep them aligned. Given this is a backport of#806, only do this if it stays consistent with upstream; otherwise prefer matching upstream verbatim.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@images/router/haproxy/conf/haproxy-config.template` around lines 247 - 260, The repeated mutual TLS header stripping block in haproxy-config.template is duplicated across the frontend sections and can drift from the set-header list. Extract the 12-line delete sequence into a single reusable template with a unique name using {{- define }} and render it with {{- template }} in each frontend, keeping the existing ROUTER_MUTUAL_TLS_HEADER_FILTER gate and matching upstream behavior if this backport needs to stay verbatim.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@images/router/haproxy/conf/haproxy-config.template`:
- Around line 247-260: The repeated mutual TLS header stripping block in
haproxy-config.template is duplicated across the frontend sections and can drift
from the set-header list. Extract the 12-line delete sequence into a single
reusable template with a unique name using {{- define }} and render it with {{-
template }} in each frontend, keeping the existing
ROUTER_MUTUAL_TLS_HEADER_FILTER gate and matching upstream behavior if this
backport needs to stay verbatim.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4dfe00a5-018d-452e-9faa-cdc6852db232
📒 Files selected for processing (1)
images/router/haproxy/conf/haproxy-config.template
|
@MrSanketkumar: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
I’ve created a cluster using the PR that includes the merged fix from PR #807. The corresponding ClusterVersion is: 4.14.0-0-2026-07-02-062204-test-ci-ln-s3c3d3k-latest After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed These are the same changes that were introduced in #807 # Strip off X-SSL* headers for plain HTTP if not explicitly disabled. /Verified by ci |
|
@UdayYendva: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
This is a clean cherry-pick of #806. /approve This is a medium-risk backport. The assessment for the release-4.21 backport #795 (comment) applies equally to the release-4.14 backport. /label backport-risk-assessed |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/jira refresh |
|
@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86711, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
20c72c8
into
openshift:release-4.14
|
@MrSanketkumar: Jira Issue OCPBUGS-86711: Some pull requests linked via external trackers have merged: The following pull request, linked via external tracker, has not merged: All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-86711 has not been moved to the MODIFIED state. This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection
Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.
Changes:
Backport : #806
Summary by CodeRabbit