Bug 1527210

Summary: Installer does not configure Kubernetes service IP for no_proxy for the docker-registry.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: InstallerAssignee: Fabian von Feilitzsch <fabian>
Status: CLOSED ERRATA QA Contact: Gan Huang <ghuang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, dmoessne, dyan, fshaikh, ghuang, jokerman, mmccomas, tkimura
Target Milestone: ---   
Target Release: 3.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Kubernetes service IP was not added to no_proxy list for the docker-registry Consequence: Internal registry requests would be forced to use the proxy, preventing logins and pushes to the internal registry. Fix: Added the kubernetes service IP to the no_proxy list Result: The internal registry requests are no longer proxied, and logins and pushes to the internal registry succeed as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-28 14:15:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1511870    

Description Ryan Howe 2017-12-18 20:13:40 UTC 
Description of problem:

After an install of the cluster the deployed registry in 3.6 gets proxy variables set on the deployment configuration. The registry uses the kubernetes service IP to authenticate with user logging into the registry. This IP address does not get set resulting in logins and pushes to fail with the installer deployed registry.  

How reproducible:
100% 


Steps to Reproduce:
1. Install a cluster setting hosted registry vars and proxy vars in the hosts file
 openshift_http_proxy='https://testproxy.com'
 openshift_https_proxy='https://testproxy.com'
 openshift_no_proxy='.hosts.example.com,some-host.com'


Actual results:
    spec:
      containers:
      - env:
        - name: HTTPS_PROXY
          value: https://testproxy.com
        - name: HTTP_PROXY
          value: https://testproxy.com
        - name: NO_PROXY
          value: .cluster.local,.svc,docker-registry,docker-registry.svc,docker-registry.svc.cluster.local,<MASTERURLS>,<MASTERIP_ADDRESSES>,.hosts.example.com,some-host.com



docker login -u test -p `oc whoami -t`  docker-registry.default.svc:5000
Error response from daemon: Get https://docker-registry.default.svc:5000/v2/: unauthorized: authentication required


time="2017-12-18T19:52:23.556930453Z" level=debug msg="invalid token: Get https://172.30.0.1:443/oapi/v1/users/~: malformed HTTP response \"\\x15\\x03\\x01\\x00\\x02\\x02\\x16\"" go.version=go1.7.6 http.request.host="docker-registry.default.svc:5000" http.request.id=f6c021d6-a4e0-468e-8a04-20ac2ca2eb13 http.request.method=GET http.request.remoteaddr="10.129.0.1:48390" http.request.uri="/openshift/token?account=quicklab&client_id=docker&offline_token=true" http.request.useragent="docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.12.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.6 \\(linux\\))" instance.id=1a30097d-7820-40f4-9765-0afc1dbdda43 openshift.logger=registry 



Expected results:

The registry get the service IP for the kubernetes service IP, and all internal registry requests do not use the configured proxy. 

Example: 
           value: .cluster.local,.svc,docker-registry,docker-registry.svc,docker-registry.svc.cluster.local,<MASTERURLS>,<MASTERIP_ADDRESSES>,.hosts.example.com,some-host.com,172.30.0.1 

Additional info:

https://github.com/openshift/openshift-ansible/commit/2960dd82cb2d9644f09957a0108ba3f817bd8b8c#diff-1fc9cdb7519394fff35b7aa41bfef936

https://github.com/openshift/openshift-ansible/blob/release-3.6/roles/openshift_hosted/tasks/registry/registry.yml#L64-L70
Comment 2 Scott Dodson 2018-01-25 15:05:31 UTC 
*** Bug 1535783 has been marked as a duplicate of this bug. ***
Comment 3 Scott Dodson 2018-01-25 15:06:26 UTC 
https://github.com/openshift/openshift-ansible/pull/6215 proposed fix
Comment 5 Gan Huang 2018-02-01 08:31:47 UTC 
Verified in openshift-ansible-3.9.0-0.34.0.git.0.c7d9585.el7.noarch.rpm

172.30.0.1 is added to docker-registry NO_PROXY env variable successfully.

And S2I build succeeded.
Comment 6 Scott Dodson 2018-02-07 13:33:04 UTC 
*** Bug 1540404 has been marked as a duplicate of this bug. ***
Comment 9 errata-xmlrpc 2018-03-28 14:15:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489