Bug 2003657

Summary: (release-4.10) Cluster-wide proxy settings not picked up by insights operator.
Product: OpenShift Container Platform Reporter: Tomas Remes <tremes>
Component: Insights OperatorAssignee: Tomas Remes <tremes>
Status: CLOSED NOTABUG QA Contact: Dmitry Misharov <dmisharo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.10CC: aos-bugs, dmisharo, harsharm, inecas, mklika, tremes
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1995937 Environment:
Last Closed: 2021-10-05 07:24:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1995937    
Bug Blocks:    

Description Tomas Remes 2021-09-13 11:59:03 UTC 
+++ This bug was initially created as a clone of Bug #1995937 +++

Description of problem:

Insights operator is in the state DEGRADED when there is a cluster-wide proxy configured. The below error messages can be seen in the pod logs.

~~~
The operator has some internal errors: Unable to report: unable to build request to connect to Insights server: Post "https://cloud.redhat.com/api/ingress/v1/upload": x509: certificate signed by unknown authority
~~~

Version-Release number of selected component (if applicable):
OCP 4.6

Actual results:
The insights operator becomes degraded.

Expected results:
Insights Operator to take the cluster-wide proxy CA into consideration.

Additional info:

When we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.

--- Additional comment from Tomas Remes on 2021-08-20 10:45:23 UTC ---

The Insights Operator uploads an archive to the ingress service url (mentioned above) and if the upload fails more than 5 times in a row then the operator is marked as degraded. Insights Operator doesn't ignore cluster-wide proxy settings. The settings is "injected" into the Insights Operator container via environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY). Probably the insights-operator is not adding the trustedCA (defined in the cluster proxy) to the root CAs when doing the request. This needs to be investigated and possibly fixed!

--- Additional comment from Tomas Remes on 2021-08-23 14:02:21 UTC ---

Sorry for the possibly recurring question, but can you @harsharm please confirm that this is basically a request to read and respect the CA (defined via "trustedCA" in cluster-wide proxy) in the Insights Operator? Maybe it would be also good to mention some workaround (if any).

--- Additional comment from  on 2021-08-24 09:56:09 UTC ---

Yes that is correct, when we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.
Comment 2 Dmitry Misharov 2021-10-05 07:24:35 UTC 
Closed because it's not a bug https://bugzilla.redhat.com/show_bug.cgi?id=1995937#c4