Bug 1253675
| Summary: | [RFE] Ability to specify global http proxy settings | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Josep 'Pep' Turro Mauri <pep> |
| Component: | RFE | Assignee: | Scott Dodson <sdodson> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Gan Huang <ghuang> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 3.0.0 | CC: | bleanhar, bparees, csvoboda, dmcphers, erich, ghuang, gpei, jkaur, jokerman, knakayam, libra-bugs, mbarrett, misalunk, mmccomas, nhashimo, plarsen, rdasilva, rmartine, sauchter, sdodson, tkimura, xiama |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | Flags: | misalunk:
needinfo-
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-20 15:08:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1267746 | ||
I can see some folks having use cases where they would want to ignore the global proxy settings to not use a proxy or even use a different proxy. Most likely this would be an application specific requirement where internet traffic would need to go through a certain proxy for a certain reason. We should still permit devs and ops to configure applications/pods to overwrite the global proxy settings if needed. (In reply to Chuck Svoboda from comment #3) > I can see some folks having use cases where they would want to ignore the > global proxy settings to not use a proxy or even use a different proxy. Most > likely this would be an application specific requirement where internet > traffic would need to go through a certain proxy for a certain reason. We > should still permit devs and ops to configure applications/pods to overwrite > the global proxy settings if needed. BuildConfigs already allow you to specify proxy settings manually. Actually, right now this is how you must do it: on every buildConfig, or dc's env settings, or templates generating them. The goal of the request here is to be able to specify global defaults on a single place and eliminate the tedious and prone to error manual configuration required now. But overriding settings via the [already existing] per-resource configuration would still be possible - although we probably want to keep global no_proxy settings active and maybe add any individual specifications instead of overriding. Overriding system configuration (e.g. the nodes' docker config in /etc/sysconfig/docker including proxy settings) is not possible at a resource level though. Does that make sense? *** Bug 1248365 has been marked as a duplicate of this bug. *** The two stories related to this RFE are: https://trello.com/c/aYry4Mpg/842-5-global-proxy-configuration https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration The support for this is in now, not sure about the install portion. Brenton? It's next on scott's list. There's a relate DNS card he's working on right now. Installer PR https://github.com/openshift/openshift-ansible/pull/1385 Advanced Installer Docs PR https://github.com/openshift/openshift-docs/pull/1607 Installer trello card https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration I guess since this is assigned to me I'm going to flip it back to ON_QA so that QE tests the installer bits. I'm putting this ON_QA as the PR has recently been updated and I'd like to get more feedback from QE. *** Bug 1321062 has been marked as a duplicate of this bug. *** I've pushed a much updated set of code to https://github.com/openshift/openshift-ansible/pull/1385 Key changes since previous revisions : - portal_net (kube svc ip CIDR) and SDN CIDR ranges are added to the master's NO_PROXY value by default. - node no longer gets proxy envars set by default, in most cases this is the right thing to do unless you require a proxy to reach the master API - BuildDefaults admission controller is additive to any other admission controller config you have. Anyone interested in testing this please take a look! We'll be working on getting this peer reviewed and merged soon. In openshift-ansible-3.0.85-1.git.0.7812917.el7 which is in latest puddle Have pasted related bugs in https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration Once finishing the testing of the card. I'll move it to verified. Test aganist with openshift-ansible-3.0.88-1.git.0.31c3daf.el7.noarch It's blocked in container installation, and ok for rpm installation. This issue will be tracked in BZ#1335063. Verified with openshift-ansible-3.0.90-1.git.0.a077b68.el7.noarch BZ#1335063 has been fixed, and the rest of bugs in https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration don't block global proxy setting anymore. Move it to verified. |
Description of problem: Many OpenShift Enterprise environments require an HTTP proxy for external connectivity. Configuring OSE to work in this type of environment is cumbersome and prone to error. Proxy settings that are applicable to the whole environment should be easy to configure on a single place and automatically applied to the relevant components as needed. This also includes automatically adding appropriate exclusions when needed, e.g. the masters' address(es) and the [current] internal registry's service IP should be automatically added to NO_PROXY environment variables as needed. Version-Release number of selected component (if applicable): openshift-3.0.0.1-1.git.4.eab4c86.el7ose.x86_64 How reproducible: Always Steps to Reproduce: 1. Deploy OSE 3 in an environment that requires http proxies for external communications 2. Configure the environment to work with http proxies Actual results: You have to configure different places: /etc/sysconfig/{docker,openshift-master,openshift-node}, buildConfigs, templates. You also have to manually specify exclusions related to the openshift platform itself: API endpoints, registry service IP. If there are changes (e.g. service IP for the registry changes) you have manually keep these configurations up to date. Expected results: See the description above. Additional info: note that you can't add the whole services subnet to the no_proxy settings at the momemt due to bug 1242961