Bug 1397475

Summary: [Behind Proxy][3.4] Cannot use ssh for git repos when http/s proxy is set
Product: OpenShift Container Platform Reporter: Miheer Salunke <misalunk>
Component: BuildAssignee: Ben Parees <bparees>
Status: CLOSED ERRATA QA Contact: Wang Haoran <haowang>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2.1CC: aos-bugs, bparees, dsundqvi, knakayam, mifiedle, pascal.bach, rymurphy, sgarciam, wzheng, xtian
Target Milestone: ---   
Target Release: 3.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Proxy value validation prevented use of default cluster proxy settings with ssh git urls. Consequence: Buildconfigs that used ssh git urls in a cluster with default proxy settings would get a validation error unless the proxy value was explicitly set to empty string in the buildconfig. Fix: Validation will no longer reject buildconfigs that use ssh git urls and have a proxy value set. However the proxy value will not be used when an ssh git url is supplied. Result: Buildconfigs that specify ssh git urls will not get a validation error even if the cluster defines a default git proxy value.
 Story Points: ---
Clone Of:
: 1414522 (view as bug list) Environment:
Last Closed: 2017-01-31 20:18:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1414522    

Description Miheer Salunke 2016-11-22 15:45:40 UTC 
1. Proposed title of this feature request
=>Cannot use ssh for git repos when http/s proxy is set


3. What is the nature and description of the request?
=> A check in the build validation (func validateGitSource) will prevent any use of ssh to access git repos when the http or https proxy variables are set in the cluster proxy settings.

The cluster is installed with openshift_http_proxy and openshift_https_proxy variables set in installer variables. However, when gitHTTProxy and gitHTTPSProxy are set as a consequence, we cannot access internal git repositories with ssh:// URIs due to the mentioned build validation.

Our current workaround to access internal private git repositories with SSH is to set gitHTTPProxy and gitHTTPSProxy to blank values in /etc/origin/master/master-config.yaml.  This way users can access local git repositories as expected with ssh:// URIs as expected. 

However, to access any external repository (access to external repos would use HTTP/S)  we would need to use a proxy. This ticket is for investigating possibilities of changing the build validation to allow SSH-accessed git repos even when gitHTTPProxy, gitHTTPSProxy parameters are set.


The result is an error message 'only http:// and https:// GIT protocols are allowed with HTTP or HTTPS proxy set'

Expected behavior: The proxy settings for http should not interfere with the ability to access internal ssh git repos.
Comment 2 Ben Parees 2016-11-23 14:42:09 UTC 
To fix this we should just remove the validation rule and allow proxy values to be set regardless of git protocol.
Comment 3 Pascal Bach 2016-12-01 14:00:30 UTC 
Removing the check would be fine with me.
Comment 4 Kenjiro Nakayama 2017-01-11 08:56:43 UTC 
This is not a new feature request, but just a regression due to https://github.com/openshift/origin/pull/5959 I hope that this ticket should be handled in a more timely manner...
Comment 5 Kenjiro Nakayama 2017-01-12 05:42:35 UTC 
One of the customers is asking the ETA. Could you please tell us the ETA?
Comment 6 Kenjiro Nakayama 2017-01-12 10:16:27 UTC 
The enterprise customer is asking us to provide the fix for 3.3. If you will fix this on the upstream, please backport to OCP 3.3.
Comment 7 Ben Parees 2017-01-12 15:26:01 UTC 
https://github.com/openshift/origin/pull/12463
Comment 8 openshift-github-bot 2017-01-12 23:12:25 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/cd8299b4556452dc0c1543d74253197a8cc37e70
allow proxy values to be specified with non-http git uris

bug 1397475
Comment 12 Wenjing Zheng 2017-01-22 07:38:06 UTC 
Verified with below version, git repo can be used when http/s proxy is set:
openshift v3.4.1.0
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0
Comment 14 errata-xmlrpc 2017-01-31 20:18:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0218