Bug 1779502

Summary: [IPI on Azure] [proxy] - proxy installation does not work in a restricted network
Product: OpenShift Container Platform Reporter: Etienne Simard <esimard>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: Etienne Simard <esimard>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: bbreard, dustymabe, esimard, imcleod, jialiu, jlebon, jligon, mgahagan, mifiedle, nstielau, sdodson, smilner, walters
Version: 4.3.0Keywords: TestBlocker
Target Milestone: ---Flags: esimard: needinfo-
mgahagan: needinfo-
esimard: needinfo+
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-04 11:18:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Scott Dodson 2019-12-04 18:15:38 UTC 
Requesting serial console output from azure instances to further debug.
Comment 20 Scott Dodson 2020-02-13 17:51:16 UTC 
The AWS jobs assume access to S3 storage without proxy use, we'll need to be able to assume the same access to Azure blob storage in these Azure tests as well.
Comment 21 Etienne Simard 2020-02-13 19:44:51 UTC 
(In reply to Scott Dodson from comment #20)
> The AWS jobs assume access to S3 storage without proxy use, we'll need to be
> able to assume the same access to Azure blob storage in these Azure tests as
> well.

Hello Scott, do you have a link in the docs or elsewhere that explains that assumption? Should it be included in that list: https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html?

This test was done with the assumption that we wanted to be in a completely internet disconnected network and only allowing outgoing connections through the proxy. Client environments could have similar requirements.

Should an installation work with only the white list of the azure blob storage (*.blob.core.windows.net) + proxy?
Comment 23 Etienne Simard 2020-02-17 18:44:07 UTC 
I confirm that I was able to create a cluster with the proxy by adding a whitelist towards Azure public IPs.

Verified with:

DEBUG OpenShift Installer v4.3.1                   
DEBUG Built from commit 2055609f95b19322ee6cfdd0bea73399297c4a3e 

Firewall rules added:

NSG with egress access enabled towards Azure Service Tag "AzureCloud" (https://www.microsoft.com/en-us/download/details.aspx?id=56519)
Comment 27 errata-xmlrpc 2020-05-04 11:18:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581