[release-4.15] OCPBUGS-86712: Strip X-SSL-* headers for plain HTTP

[MrSanketkumar]

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport : #805

Summary by CodeRabbit

• Bug Fixes
  • Improved request header handling by removing mutual-TLS identity headers from incoming traffic when the new filtering option is enabled.
  • Applied the header cleanup consistently across HTTP, TLS-SNI, and TLS-NO-SNI connections.
  • Preserves existing behavior by keeping the feature enabled by default.

[openshift-ci-robot]

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86712, which is invalid:

• expected dependent Jira Issue OCPBUGS-86713 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ASSIGNED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

• Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
• Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
• Secure by default - header stripping enabled unless explicitly disabled

Backport : #805

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 677f12e0-187c-4c8e-876e-9b75066a38a1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The HAProxy config template gains a ROUTER_MUTUAL_TLS_HEADER_FILTER-guarded block (defaulting to true) on the plain HTTP, fe_sni, and fe_no_sni frontends. When enabled, incoming X-SSL and X-SSL-Client-* headers are deleted before the request is forwarded.

Changes

mTLS Header Stripping Across All Frontends

Layer / File(s)	Summary
X-SSL header deletion on HTTP, fe_sni, and fe_no_sni frontends images/router/haproxy/conf/haproxy-config.template	Adds the same ROUTER_MUTUAL_TLS_HEADER_FILTER-guarded del-header directives for X-SSL and X-SSL-Client-* to all three frontends (lines 245–261, 376–393, 506–523).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 errors)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	cmd/openshift-router/main.go prints to stdout in CommandFor() via fmt.Printf, called from main(), violating the JSON-on-stdout contract.	Move the message to stderr (fmt.Fprintf(os.Stderr,...)) or return an error instead of printing to stdout in process-level startup code.
Container-Privileges	❌ Error	deploy/router.yaml sets hostNetwork: true on the ingress router Deployment, which the check explicitly flags.	Remove hostNetwork from the Deployment or document a strong justification if it must remain; no other disallowed privilege flags were found.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title is specific and matches the main fix: stripping X-SSL-* headers for plain HTTP requests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only changes the HAProxy config template; no Ginkgo tests or titles were introduced, so there are no unstable test names to flag.
Test Structure And Quality	✅ Passed	The PR only modifies the HAProxy template; no Ginkgo test blocks or test files are touched, so this check is not applicable.
Microshift Test Compatibility	✅ Passed	Only the HAProxy template changed; no new Ginkgo e2e tests or MicroShift-sensitive APIs were added, so the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PASS: The change is limited to the HAProxy template; I found no new Ginkgo e2e tests or SNO-sensitive node assumptions to review.
Topology-Aware Scheduling Compatibility	✅ Passed	Change is limited to HAProxy header stripping; no nodeSelectors, affinity, spread constraints, replicas, or ControlPlaneTopology logic were added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Only the HAProxy template changed; no new Ginkgo e2e tests were added, so IPv4/disconnected-network compatibility is not applicable.
No-Weak-Crypto	✅ Passed	The PR only adds HAProxy header-stripping guards; it doesn't introduce crypto code, custom crypto, or secret comparisons.
No-Sensitive-Data-In-Logs	✅ Passed	The PR only adds header-deletion rules for X-SSL fields and no new log-format/capture statements exposing sensitive data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign frobware for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[MrSanketkumar]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@images/router/haproxy/conf/haproxy-config.template`:
- Around line 247-260: The mutual TLS header filter guard in
haproxy-config.template currently defaults malformed
ROUTER_MUTUAL_TLS_HEADER_FILTER values to false, which can unintentionally
disable the delete-header rules. Update the shared conditional used around the
HAProxy http-request del-header block so invalid or unparseable values fail
closed by treating them as enabled or by rejecting the config, and apply the
same fix consistently to all three duplicated HAProxy blocks that use this
guard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cc196d98-e206-4d12-b3b0-cdcb06806808

📥 Commits

Reviewing files that changed from the base of the PR and between 97e96af and ff82a50.

📒 Files selected for processing (1)

• images/router/haproxy/conf/haproxy-config.template

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Find the isTrue helper implementation =="
rg -n -C3 'func\s+isTrue\b|isTrue\s*[:=]|template\.FuncMap|sprig' .

echo
echo "== Find all uses of ROUTER_MUTUAL_TLS_HEADER_FILTER =="
rg -n -C2 'ROUTER_MUTUAL_TLS_HEADER_FILTER' .

echo
echo "== Find nearby uses of isTrue in templates for comparison =="
rg -n -C2 'isTrue \(env ' images/router

Repository: openshift/router

Length of output: 19116

---

Fail closed on invalid ROUTER_MUTUAL_TLS_HEADER_FILTER values
Any malformed value here evaluates to false, so a typo disables the header filter and reopens header spoofing. Reject invalid config or treat parse errors as enabled; the same guard is duplicated in all three HAProxy blocks.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@images/router/haproxy/conf/haproxy-config.template` around lines 247 - 260,
The mutual TLS header filter guard in haproxy-config.template currently defaults
malformed ROUTER_MUTUAL_TLS_HEADER_FILTER values to false, which can
unintentionally disable the delete-header rules. Update the shared conditional
used around the HAProxy http-request del-header block so invalid or unparseable
values fail closed by treating them as enabled or by rejecting the config, and
apply the same fix consistently to all three duplicated HAProxy blocks that use
this guard.

[openshift-ci]

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.