Bug 1873649
| Summary: | proxy.config.openshift.io should validate user inputs | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Eric Rich <erich> |
| Component: | Installer | Assignee: | Aditya Narayanaswamy <anarayan> |
| Installer sub component: | openshift-installer | QA Contact: | Yang Yang <yanyang> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | medium | ||
| Priority: | low | CC: | adahiya, anarayan, aos-bugs, bleanhar, ddelcian, jmalde, mfojtik, mstaeble, nstielau, padillon, slaznick, sttts, wking, yanyang |
| Version: | 4.5 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Since proxy values were user input and no validation checks were done, parts of the installer will fail after a long time.
Added in a validation check to see if the HTTPProxy and the HTTPSProxy were proper URLs and sending out error messages if they were not in order to reduce debugging time for the user and for them to better understand what exactly went wrong in their input.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 22:32:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1954595, 1979988 | ||
|
Description
Eric Rich
2020-08-28 21:15:00 UTC
We should also check that these seeings don't overlap with other network settings like the service network. I have started https://gist.github.com/sttts/3d858df53a5787d6b5304461d552e8dd to add ratcheting update validation. But I noticed that https://github.com/openshift/cluster-network-operator/blob/fbd5c13cd16478fb9076a4ee771f1f42b03af087/pkg/controller/proxyconfig/validation.go already has validation code. Please move that to library-go and reuse it on kube-apiserver admission (as seen in my gist). Assigning to Dane to take an initial look. We will work on this asap, but moving to 4.7.0 to mark it is not blocker for 4.6 Reproducing it from installer QE side: # openshift-install version openshift-install 4.7.0-0.nightly-2021-01-14-211319 built from commit b3dae7f4736bcd1dbf5a1e0ddafa826ee1738d81 release image registry.ci.openshift.org/ocp/release@sha256:4c4e4e15e7c9cb334c8e1fc49cbf92ce6d620ff5fa2538ea578c53a48fe15b98 1. Specify invalid proxy value to install-config.yaml proxy: httpProxy: proxy-user1:xxxxx@QE_PROXY_PLACEHOLDER:3128 httpsProxy: proxy-user1:xxxxx@QE_PROXY_PLACEHOLDER:3128 noProxy: test.no-proxy.com, localhost 2. Create manifests # openshift-install create manifests --dir bz INFO Credentials loaded from file "/root/.gcp/osServiceAccount.json" INFO Consuming Install Config from target directory INFO Manifests created in: bz/manifests and bz/openshift Manifests are created successfully and no error prompts. *** Bug 1914305 has been marked as a duplicate of this bug. *** We closed https://bugzilla.redhat.com/show_bug.cgi?id=1914305 as a duplicate of this bug, so we need to make sure we fix that problem in this bug. Currently we are trimming spaces in noProxy, but instead of changing that user input, we should just validate and reject it if there are spaces. Leave it to the users to fix. Verifying it with 4.8.0-0.nightly-2021-02-18-054727 # openshift-install version openshift-install 4.8.0-0.nightly-2021-02-18-054727 built from commit 2b8f47bc6081de310ad05995c6e4f91479b0eae9 release image registry.ci.openshift.org/ocp/release@sha256:e39c426927b3529f73e323f725364055f5462e57f7087ad1d34aac12a31de36b 1. Specify invalid proxy setting in install-config.yaml 18 proxy: 19 httpProxy: user:password.0.1:3128 (httpProxy does not have scheme) 20 httpsProxy: ftp://user:password@127.0.0.1:3128 (httpsProxy uses ftp as scheme) 21 noProxy: test.no-proxy.com, localhost (noProxy has space) # openshift-install create manifests --dir bz FATAL failed to fetch Master Machines: failed to load asset "Install Config": invalid "install-config.yaml" file: [proxy.httpProxy: Unsupported value: "user": supported values: "http", proxy.httpsProxy: Unsupported value: "ftp": supported values: "http", "https", proxy.noProxy: Invalid value: "test.no-proxy.com, localhost": noProxy must not have spaces] The follow-on work to validate that the proxy is not within the cluster or service network is in https://issues.redhat.com/browse/CORS-1642. Verifying it with 4.8.0-0.nightly-2021-02-18-054727 # openshift-install version openshift-install 4.8.0-0.nightly-2021-02-18-054727 built from commit 2b8f47bc6081de310ad05995c6e4f91479b0eae9 release image registry.ci.openshift.org/ocp/release@sha256:e39c426927b3529f73e323f725364055f5462e57f7087ad1d34aac12a31de36b Test invalid noProxy domain 18 proxy: 19 httpProxy: http://user:password@127.0.0.1:3128 20 httpsProxy: https://user:password@127.0.0.1:3128 21 noProxy: ABC.com,10.0.2.1/280 # openshift-install create manifests --dir bz FATAL failed to fetch Master Machines: failed to load asset "Install Config": invalid "install-config.yaml" file: [proxy.noProxy: Invalid value: "ABC.com,10.0.2.1/280": each element of noProxy must be a CIDR or domain without wildcard characters, which is violated by element 0 "ABC.com", proxy.noProxy: Invalid value: "ABC.com,10.0.2.1/280": each element of noProxy must be a CIDR or domain without wildcard characters, which is violated by element 1 "10.0.2.1/280"] Based on comment#23 and #28, moving it to verified state. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |