Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1253675

Summary: [RFE] Ability to specify global http proxy settings
Product: OpenShift Container Platform Reporter: Josep 'Pep' Turro Mauri <pep>
Component: RFEAssignee: Scott Dodson <sdodson>
Status: CLOSED CURRENTRELEASE QA Contact: Gan Huang <ghuang>
Severity: high Docs Contact:
Priority: high    
Version: 3.0.0CC: bleanhar, bparees, csvoboda, dmcphers, erich, ghuang, gpei, jkaur, jokerman, knakayam, libra-bugs, mbarrett, misalunk, mmccomas, nhashimo, plarsen, rdasilva, rmartine, sauchter, sdodson, tkimura, xiama
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: misalunk: needinfo-
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-20 15:08:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1267746    

Description Josep 'Pep' Turro Mauri 2015-08-14 12:32:55 UTC 
Description of problem:

Many OpenShift Enterprise environments require an HTTP proxy for external connectivity. Configuring OSE to work in this type of environment is cumbersome and prone to error.

Proxy settings that are applicable to the whole environment should be easy to configure on a single place and automatically applied to the relevant components as needed.

This also includes automatically adding appropriate exclusions when needed, e.g. the masters' address(es) and the [current] internal registry's service IP should be automatically added to NO_PROXY environment variables as needed.

Version-Release number of selected component (if applicable):

openshift-3.0.0.1-1.git.4.eab4c86.el7ose.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Deploy OSE 3 in an environment that requires http proxies for external communications
2. Configure the environment to work with http proxies

Actual results:

You have to configure different places: /etc/sysconfig/{docker,openshift-master,openshift-node}, buildConfigs, templates.

You also have to manually specify exclusions related to the openshift platform itself: API endpoints, registry service IP.

If there are changes (e.g. service IP for the registry changes) you have manually keep these configurations up to date.

Expected results:

See the description above.

Additional info:

note that you can't add the whole services subnet to the no_proxy settings at the momemt due to bug 1242961
Comment 3 Chuck Svoboda 2015-08-27 21:50:55 UTC 
I can see some folks having use cases where they would want to ignore the global proxy settings to not use a proxy or even use a different proxy. Most likely this would be an application specific requirement where internet traffic would need to go through a certain proxy for a certain reason. We should still permit devs and ops to configure applications/pods to overwrite the global proxy settings if needed.
Comment 4 Josep 'Pep' Turro Mauri 2015-09-14 11:12:49 UTC 
(In reply to Chuck Svoboda from comment #3)
> I can see some folks having use cases where they would want to ignore the
> global proxy settings to not use a proxy or even use a different proxy. Most
> likely this would be an application specific requirement where internet
> traffic would need to go through a certain proxy for a certain reason. We
> should still permit devs and ops to configure applications/pods to overwrite
> the global proxy settings if needed.

BuildConfigs already allow you to specify proxy settings manually. Actually, right now this is how you must do it: on every buildConfig, or dc's env settings, or templates generating them.

The goal of the request here is to be able to specify global defaults on a single place and eliminate the tedious and prone to error manual configuration required now. But overriding settings via the [already existing] per-resource configuration would still be possible - although we probably want to keep global no_proxy settings active and maybe add any individual specifications instead of overriding.

Overriding system configuration (e.g. the nodes' docker config in /etc/sysconfig/docker including proxy settings) is not possible at a resource level though.

Does that make sense?
Comment 8 Eric Rich 2015-10-12 18:55:41 UTC 
*** Bug 1248365 has been marked as a duplicate of this bug. ***
Comment 12 Brenton Leanhardt 2016-01-28 21:34:07 UTC 
The two stories related to this RFE are:

https://trello.com/c/aYry4Mpg/842-5-global-proxy-configuration
https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration
Comment 13 Ben Parees 2016-02-09 18:29:58 UTC 
The support for this is in now, not sure about the install portion.  Brenton?
Comment 14 Brenton Leanhardt 2016-02-09 20:10:42 UTC 
It's next on scott's list.  There's a relate DNS card he's working on right now.
Comment 15 Scott Dodson 2016-02-18 22:45:18 UTC 
Installer PR https://github.com/openshift/openshift-ansible/pull/1385
Advanced Installer Docs PR https://github.com/openshift/openshift-docs/pull/1607

Installer trello card https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration

I guess since this is assigned to me I'm going to flip it back to ON_QA so that QE tests the installer bits.
Comment 20 Scott Dodson 2016-02-26 18:37:55 UTC 
I'm putting this ON_QA as the PR has recently been updated and I'd like to get more feedback from QE.
Comment 24 Brenton Leanhardt 2016-03-30 15:15:47 UTC 
*** Bug 1321062 has been marked as a duplicate of this bug. ***
Comment 25 Scott Dodson 2016-04-19 02:56:02 UTC 
I've pushed a much updated set of code to https://github.com/openshift/openshift-ansible/pull/1385

Key changes since previous revisions :
  -  portal_net (kube svc ip CIDR) and SDN CIDR ranges are added to the master's NO_PROXY value by default.
  -  node no longer gets proxy envars set by default, in most cases this is the right thing to do unless you require a proxy to reach the master API
  -  BuildDefaults admission controller is additive to any other admission controller config you have.  

Anyone interested in testing this please take a look! We'll be working on getting this peer reviewed and merged soon.
Comment 28 Scott Dodson 2016-04-26 15:19:49 UTC 
In openshift-ansible-3.0.85-1.git.0.7812917.el7 which is in latest puddle
Comment 29 Gan Huang 2016-04-29 02:37:36 UTC 
Have pasted related bugs in https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration

Once finishing the testing of the card. I'll move it to verified.
Comment 30 Gan Huang 2016-05-12 06:51:35 UTC 
Test aganist with openshift-ansible-3.0.88-1.git.0.31c3daf.el7.noarch

It's blocked in container installation, and ok for rpm installation. This issue will be tracked in BZ#1335063.
Comment 31 Gan Huang 2016-05-19 06:51:38 UTC 
Verified with openshift-ansible-3.0.90-1.git.0.a077b68.el7.noarch

BZ#1335063 has been fixed, and the rest of bugs in https://trello.com/c/Wia7PSVf/168-3-global-proxy-configuration don't block global proxy setting anymore.

Move it to verified.