Bug 1896704

Summary: Machine API components should honour cluster wide proxy settings
Product: OpenShift Container Platform Reporter: Joel Speed <jspeed>
Component: Cloud ComputeAssignee: Joel Speed <jspeed>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: jspeed, miyadav, rsandu, zhsun
Version: 4.6   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Machine API now honours cluster wide proxy settings. When a ClusterWideProxy is configured, all Machine API components will route traffic via the configured proxy.
 Story Points: ---
Clone Of:
: 1896705 1930150 (view as bug list) Environment:
Last Closed: 2021-02-24 15:32:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1896705, 1930150    

Description Joel Speed 2020-11-11 10:43:36 UTC 
Description of problem:

In all environments that leverage the Machine API, components in the machine-api-controllers pod contact external cloud provider APIs.

When a customer has configured a cluster-wide-proxy, they expect all traffic leaving a cluster to route via the configured proxy.

Machine API components currently ignore this setting and route traffic directly to the cloud provider APIs regardless of any configured cluster-wide-proxy.

This means that customers have to make exceptions in their networking configuration and in their security practices to allow Machine API to work in a disconnected/restricted network environment.

Machine API should honour the cluster-wide-proxy settings as all other components within OCP 4 do.


Version-Release number of selected component (if applicable):

All (in particular we want this fixed in 4.6 and 4.7)


How reproducible:

100%

Steps to Reproduce:
1. Create an OCP cluster
2. Create a cluster-wide-proxy 
3. Restrict egress traffic so that only the proxy is allowed egress

Actual results:

Machine API will now be broken as it cannot reach the cloud provider API

Expected results:

Machine API should send traffic to the cloud provider via the proxy

Additional info:
Comment 1 Joel Speed 2020-11-12 12:26:41 UTC 
We are making progress on this bug, but still need to work some concerns out with the oVirt provider maintainers. This should merge sometime during the next sprint
Comment 3 Milind Yadav 2020-11-23 04:17:21 UTC 
Validating again to , as there is some more config changes needed to confirm this , moving back to ON_QA
Comment 4 Milind Yadav 2020-11-24 12:34:44 UTC 
Validated again as earlier I validated on installers which were earlier designed to handle inability of mapi to run on proxy ..

Reran again , machinesets scaled up and down successfully without the earlier workarounds (which were necessary as per the product doc , since mapi didnt supported proxy)

moving to VERIFIED .

Additional info:
Installation team helped out on this config ..
Comment 7 errata-xmlrpc 2021-02-24 15:32:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633