Bug 1896705

Summary: Machine API components should honour cluster wide proxy settings
Product: OpenShift Container Platform Reporter: Joel Speed <jspeed>
Component: Cloud ComputeAssignee: Joel Speed <jspeed>
Cloud Compute sub component: Other Providers QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: jspeed, oarribas, rsandu, zhsun
Version: 4.6   
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1896704 Environment:
Last Closed: 2020-11-30 16:46:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1896704, 1930150    
Bug Blocks:    

Description Joel Speed 2020-11-11 10:47:58 UTC 
+++ This bug was initially created as a clone of Bug #1896704 +++

Description of problem:

In all environments that leverage the Machine API, components in the machine-api-controllers pod contact external cloud provider APIs.

When a customer has configured a cluster-wide-proxy, they expect all traffic leaving a cluster to route via the configured proxy.

Machine API components currently ignore this setting and route traffic directly to the cloud provider APIs regardless of any configured cluster-wide-proxy.

This means that customers have to make exceptions in their networking configuration and in their security practices to allow Machine API to work in a disconnected/restricted network environment.

Machine API should honour the cluster-wide-proxy settings as all other components within OCP 4 do.


Version-Release number of selected component (if applicable):

All (in particular we want this fixed in 4.6 and 4.7)


How reproducible:

100%

Steps to Reproduce:
1. Create an OCP cluster
2. Create a cluster-wide-proxy 
3. Restrict egress traffic so that only the proxy is allowed egress

Actual results:

Machine API will now be broken as it cannot reach the cloud provider API

Expected results:

Machine API should send traffic to the cloud provider via the proxy

Additional info:
Comment 1 Joel Speed 2020-11-13 11:46:40 UTC 
This is blocked on the PR being merged into the 4.7 branch and then being verified, hopefully we will be able to get that done by end of next sprint
Comment 4 Milind Yadav 2020-11-25 09:18:37 UTC 
Validated on - 4.6.0-0.nightly-2020-11-22-160856

This can be easily validated with successful installation after using the new templates which removes ways that were done earlier for machine-api to work in proxy env.

Successfully validated with below proxy installation being success

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124171/console -azure

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124176/console - gcp

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124047/console - AWS 

Additional info:
Moved to VERIFIED
Comment 7 errata-xmlrpc 2020-11-30 16:46:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5115