Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2009629

Summary: Allow adding additionalTrustBundle to proxy without specifying proxy settings during installation
Product: OpenShift Container Platform Reporter: Swapnil Dalela <sdalela>
Component: InstallerAssignee: aos-install
Installer sub component: openshift-installer QA Contact: Gaoyun Pei <gpei>
Status: CLOSED NOTABUG Docs Contact:
Severity: low    
Priority: unspecified CC: mstaeble, sdodson, wking
Version: 4.9   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-05 17:40:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Swapnil Dalela 2021-10-01 05:39:53 UTC 
Version:

4.9.0-rc.4 and earlier

What happened?

In proxy config, 'trustedCA' is not set when addtitional trust bundles are provided and proxy settings are not configured during installation. This causes issues when cluster is using a transparent proxy which requires additional trust bundles to send requests outside the cluster.

The installation completes successfully and user-ca-bundle is created but the proxy object is never updated.

What did you expect to happen?

trustedCA parameter in proxy should be updated even if no proxy settings are applied.

How to reproduce it (as minimally and precisely as possible)?

In install-config.yaml just provide additionalTrustBundle without any proxy settings.

Anything else we need to know?

Opened bug in accordance to the conversation in slack.
Comment 2 W. Trevor King 2021-10-01 23:06:58 UTC 
(In reply to Swapnil Dalela from comment #0)
> trustedCA parameter in proxy should be updated even if no proxy settings are
> applied.
> 
> How to reproduce it (as minimally and precisely as possible)?
> 
> In install-config.yaml just provide additionalTrustBundle without any proxy
> settings.

I don't think this is quite right, see bug 1771564 and bug 2006013 asking folks to set something in the install-config proxy if they want additionalTrustBundle linked up to the Proxy's trustedCA.  The network operator is consuming trustedCA even when none of the other Proxy settings are set [1].  And the whole additionalTrustBundle vs. proxy thing has a long, sticky history [2,3,4,5].  One possible out for transparent proxies would be to set .proxy.noProxy (e.g. to '*', which is valid [6]), but not http(s)Proxy, in their install-config.  But to have that work, we'd need to drop the old installer validation in [7].

[1]: https://github.com/openshift/cluster-network-operator/blob/8586629d5a6eeb0961b6162718fee5fc5acb55bb/pkg/controller/proxyconfig/controller.go#L145-L148
[2]: https://github.com/openshift/installer/pull/2658#issuecomment-554517800
[3]: https://github.com/openshift/enhancements/pull/115#issuecomment-580966164
[4]: https://github.com/openshift/installer/pull/4082#issuecomment-678406894
[5]: https://github.com/openshift/installer/pull/5251#issuecomment-932622321
[6]: https://github.com/openshift/cluster-network-operator/blob/8586629d5a6eeb0961b6162718fee5fc5acb55bb/pkg/controller/proxyconfig/validation.go#L64
[7]: https://github.com/openshift/installer/blob/40373d2fbebcb79117b7fcf1bd92d6252630fdbe/pkg/types/validation/installconfig.go#L492-L494
Comment 4 Matthew Staebler 2021-10-05 17:40:16 UTC 
This is working as it is intended to work. If you would like to discuss alternative approaches to additional trust bundle, then this should be an RFE instead of a BZ.
Comment 5 W. Trevor King 2021-10-05 20:31:34 UTC 
Moved to https://issues.redhat.com/browse/RFE-2181