Bug 1798609

Summary: Report a metric about proxy enablement on the cluster and via telemetry
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: kube-apiserverAssignee: Clayton Coleman <ccoleman>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-13 21:56:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Clayton Coleman 2020-02-05 16:17:48 UTC
Proxy enablement is a key indicator of a class of environments and problems, and should be easily understandable from a cluster.

Add to kube-apiserver-operator like cluster_infrastructure_provider and feature set (since these are the heart of the system and already leverage the config).  Report whether the proxy is enabled for http, https, and whether it has a CA.

Comment 2 Xingxing Xia 2020-02-12 01:23:27 UTC
> ... cluster_infrastructure_provider and feature set (since these are the heart of the system and already leverage the config)
Related bug 1766518 and bug 1731232 for reference
> Report whether the proxy is enabled for http, https, and whether it has a CA
This bug's purpose to verify

Comment 3 Ke Wang 2020-02-18 06:27:00 UTC
Verified with 4.4.0-0.nightly-2020-02-17-231058.
1. Enabled the cluster http/https proxy server and trustedCA.
a) Create a file called user-ca-bundle.yaml with the following contents, and provide the values of your PEM-encoded certificates:

apiVersion: v1
data:
  ca-bundle.crt: | 
    <MY_PEM_ENCODED_CERTS> 
kind: ConfigMap
metadata:
  name: user-ca-bundle 
  namespace: openshift-config


b) Create the ConfigMap from this file:

$ oc create -f user-ca-bundle.yaml

c) oc edit proxy/cluster # Configure the necessary fields for the proxy:

apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://<username>:<pswd>@<ip>:<port> 
  httpsProxy: http://<username>:<pswd>@<ip>:<port> 
  noProxy: example.com 
  trustedCA:
    name: user-ca-bundle 

2. 
$ TK=`oc sa get-token cluster-monitoring-operator -n openshift-monitoring`
# pod_name=$(oc -n openshift-apiserver-operator get pods -o name | cut -d/ -f2)
# op_endp=$(oc get ep -n openshift-kube-apiserver-operator | grep 8443 | awk '{print $2}')
# o  -n openshift-apiserver-operator exec -it $pod_name -- curl -k -H "Authorization: Bearer $TK" https://$op_endp/metrics > metrics

$ grep cluster_proxy  metrics 
# HELP cluster_proxy_enabled Reports whether the cluster has been configured to use a proxy. type is which type of proxy configuration has been set - http for an http proxy, https for an https proxy, and trusted_ca if a custom CA was specified.
# TYPE cluster_proxy_enabled gauge
cluster_proxy_enabled{type="http"} 1
cluster_proxy_enabled{type="https"} 1
cluster_proxy_enabled{type="trusted_ca"} 1

We can see the cluster_proxy_enabled Reports whether the cluster has been configured to use a proxy in metrics.

Comment 5 errata-xmlrpc 2020-05-13 21:56:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581