Bug 1648973

Summary: missed oauth_proxy environment variable
Product: OpenShift Container Platform Reporter: Pedro Amoedo <pamoedom>
Component: apiserver-authAssignee: Matt Rogers <mrogers>
Status: CLOSED CURRENTRELEASE QA Contact: Anping Li <anli>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: anli, aos-bugs, mrogers, nagrawal, pamoedom, rmeggins, scheng, vlaad
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-17 14:16:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
kiban failed none

Description Pedro Amoedo 2018-11-12 15:54:58 UTC 
Description of problem:

Kibana dashboard is not reachable after upgrading to 3.11 in which seems to be an http/s proxy handling issue.

Version-Release number of selected component (if applicable):

deployment_type=openshift-enterprise
openshift_deployment_type=openshift-enterprise
openshift_release=v3.11
openshift_pkg_version=-3.11.16
openshift_image_tag=v3.11.16

How reproducible:

After upgrading to OCP 3.11, access URL keep looping back to auth portal (AWS env with proxy in the middle to allow external connections).

Steps to Reproduce:
1.
AWS + OCP3.11
2.
openshift_logging
3.
squid proxy

Actual results:

504 Gateway Time-out

Expected results:

Successful login

Additional info:

https://github.com/openshift/oauth-proxy/issues/71
https://github.com/openshift/oauth-proxy/pull/96
Comment 1 Matt Rogers 2018-11-12 20:06:39 UTC 
You linked:
https://github.com/openshift/oauth-proxy/issues/71
https://github.com/openshift/oauth-proxy/pull/96

Have you've determined that the PR fixes your issue, or it just looks like a similar problem? From your description that is not clear. Please provide some more detailed steps to reproduce along with oauth-proxy logs and configs.
Comment 3 Pedro Amoedo 2018-11-27 08:25:54 UTC 
I'm reasigning this bugzilla to Auth group as per latest comment from Engineering in https://github.com/openshift/oauth-proxy/pull/96

@Sig-Auth team, can you please review that PR?

Thanks in advance.
Comment 4 Matt Rogers 2018-11-27 14:31:44 UTC 
I requested a change to the patch, once that is updated I'll merge it.
Comment 5 Pedro Amoedo 2018-12-17 11:44:07 UTC 
(In reply to Matt Rogers from comment #4)
> I requested a change to the patch, once that is updated I'll merge it.

Hi Matt, I've seen also the update in the pull request but the customer has told me that he is unable to modify the code as requested and is asking for your help on that.

My apologies, I would do it myself but I don't have the full picture nor the knowledge on this code.

Thanks in advance.
Comment 6 Pedro Amoedo 2019-01-22 11:19:16 UTC 
Hi all, any update here?
Comment 7 Matt Rogers 2019-01-22 19:48:45 UTC 
Sorry about the delay, I asked Pat in the PR if he would like me to push the fix through in a different PR if he has not had the time to get back to it. (I asked him to just rename the function he was modifying)
Comment 8 Pedro Amoedo 2019-01-23 08:59:56 UTC 
(In reply to Matt Rogers from comment #7)
> Sorry about the delay, I asked Pat in the PR if he would like me to push the
> fix through in a different PR if he has not had the time to get back to it.
> (I asked him to just rename the function he was modifying)

AFAIK, he tried to do the first requested modification of setting the transport proxy outside of setCA() but no success and the automated tests failed as you can see in the PR, so back in Dec he asked for your help on that part via the case.

Is this something you can easily solve on his behalf or does it need to be modified directly by him?

Thanks in advance.
Comment 9 Matt Rogers 2019-01-23 14:58:20 UTC 
(In reply to Pedro Amoedo from comment #8)
> (In reply to Matt Rogers from comment #7)
> > Sorry about the delay, I asked Pat in the PR if he would like me to push the
> > fix through in a different PR if he has not had the time to get back to it.
> > (I asked him to just rename the function he was modifying)
> 
> AFAIK, he tried to do the first requested modification of setting the
> transport proxy outside of setCA() but no success and the automated tests
> failed as you can see in the PR, so back in Dec he asked for your help on
> that part via the case.
> 
> Is this something you can easily solve on his behalf or does it need to be
> modified directly by him?
> 
> Thanks in advance.

We had discussed this previously in the PR, as a result of the issue he pointed out about my suggested change, I requested that he just rename the function so it's clear that the function is now doing more than only setting the CA. So it's just the function rename that I was waiting on him to do.
Comment 10 Pedro Amoedo 2019-01-23 15:30:35 UTC 
(In reply to Matt Rogers from comment #9)
> (In reply to Pedro Amoedo from comment #8)
> > (In reply to Matt Rogers from comment #7)
> > > Sorry about the delay, I asked Pat in the PR if he would like me to push the
> > > fix through in a different PR if he has not had the time to get back to it.
> > > (I asked him to just rename the function he was modifying)
> > 
> > AFAIK, he tried to do the first requested modification of setting the
> > transport proxy outside of setCA() but no success and the automated tests
> > failed as you can see in the PR, so back in Dec he asked for your help on
> > that part via the case.
> > 
> > Is this something you can easily solve on his behalf or does it need to be
> > modified directly by him?
> > 
> > Thanks in advance.
> 
> We had discussed this previously in the PR, as a result of the issue he
> pointed out about my suggested change, I requested that he just rename the
> function so it's clear that the function is now doing more than only setting
> the CA. So it's just the function rename that I was waiting on him to do.

ACK, I will update the case to see if he can push that or is waiting on another thing, thanks Matt.
Comment 11 Pedro Amoedo 2019-02-04 08:55:09 UTC 
(In reply to Pedro Amoedo from comment #10)
> (In reply to Matt Rogers from comment #9)
> > (In reply to Pedro Amoedo from comment #8)
> > > (In reply to Matt Rogers from comment #7)
> > > > Sorry about the delay, I asked Pat in the PR if he would like me to push the
> > > > fix through in a different PR if he has not had the time to get back to it.
> > > > (I asked him to just rename the function he was modifying)
> > > 
> > > AFAIK, he tried to do the first requested modification of setting the
> > > transport proxy outside of setCA() but no success and the automated tests
> > > failed as you can see in the PR, so back in Dec he asked for your help on
> > > that part via the case.
> > > 
> > > Is this something you can easily solve on his behalf or does it need to be
> > > modified directly by him?
> > > 
> > > Thanks in advance.
> > 
> > We had discussed this previously in the PR, as a result of the issue he
> > pointed out about my suggested change, I requested that he just rename the
> > function so it's clear that the function is now doing more than only setting
> > the CA. So it's just the function rename that I was waiting on him to do.
> 
> ACK, I will update the case to see if he can push that or is waiting on
> another thing, thanks Matt.

Hi again Matt, the customer has finally pushed the requested modification into the PR [1], please check it when you have a chance, thanks.

[1] - https://github.com/openshift/oauth-proxy/pull/96
Comment 16 Anping Li 2019-06-14 09:30:16 UTC 
Created attachment 1580630 [details]
kiban failed