1397475 – [Behind Proxy][3.4] Cannot use ssh for git repos when http/s proxy is set

Bug 1397475 - [Behind Proxy][3.4] Cannot use ssh for git repos when http/s proxy is set

Summary: [Behind Proxy][3.4] Cannot use ssh for git repos when http/s proxy is set

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	3.2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.4.z
Assignee:	Ben Parees
QA Contact:	Wang Haoran
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1414522
TreeView+	depends on / blocked

Reported:	2016-11-22 15:45 UTC by Miheer Salunke
Modified:	2020-03-11 15:24 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Proxy value validation prevented use of default cluster proxy settings with ssh git urls. Consequence: Buildconfigs that used ssh git urls in a cluster with default proxy settings would get a validation error unless the proxy value was explicitly set to empty string in the buildconfig. Fix: Validation will no longer reject buildconfigs that use ssh git urls and have a proxy value set. However the proxy value will not be used when an ssh git url is supplied. Result: Buildconfigs that specify ssh git urls will not get a validation error even if the cluster defines a default git proxy value.
Clone Of:
Clones:	1414522 (view as bug list)
Environment:
Last Closed:	2017-01-31 20:18:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2856901	0	None	None	None	2017-01-12 08:48:00 UTC
Red Hat Product Errata	RHBA-2017:0218	0	normal	SHIPPED_LIVE	Red Hat OpenShift Container Platform 3.4.1.2 bug fix update	2017-02-01 01:18:20 UTC

Description Miheer Salunke 2016-11-22 15:45:40 UTC

1. Proposed title of this feature request
=>Cannot use ssh for git repos when http/s proxy is set


3. What is the nature and description of the request?
=> A check in the build validation (func validateGitSource) will prevent any use of ssh to access git repos when the http or https proxy variables are set in the cluster proxy settings.

The cluster is installed with openshift_http_proxy and openshift_https_proxy variables set in installer variables. However, when gitHTTProxy and gitHTTPSProxy are set as a consequence, we cannot access internal git repositories with ssh:// URIs due to the mentioned build validation.

Our current workaround to access internal private git repositories with SSH is to set gitHTTPProxy and gitHTTPSProxy to blank values in /etc/origin/master/master-config.yaml.  This way users can access local git repositories as expected with ssh:// URIs as expected. 

However, to access any external repository (access to external repos would use HTTP/S)  we would need to use a proxy. This ticket is for investigating possibilities of changing the build validation to allow SSH-accessed git repos even when gitHTTPProxy, gitHTTPSProxy parameters are set.


The result is an error message 'only http:// and https:// GIT protocols are allowed with HTTP or HTTPS proxy set'

Expected behavior: The proxy settings for http should not interfere with the ability to access internal ssh git repos.

Comment 2 Ben Parees 2016-11-23 14:42:09 UTC

To fix this we should just remove the validation rule and allow proxy values to be set regardless of git protocol.

Comment 3 Pascal Bach 2016-12-01 14:00:30 UTC

Removing the check would be fine with me.

Comment 4 Kenjiro Nakayama 2017-01-11 08:56:43 UTC

This is not a new feature request, but just a regression due to https://github.com/openshift/origin/pull/5959 I hope that this ticket should be handled in a more timely manner...

Comment 5 Kenjiro Nakayama 2017-01-12 05:42:35 UTC

One of the customers is asking the ETA. Could you please tell us the ETA?

Comment 6 Kenjiro Nakayama 2017-01-12 10:16:27 UTC

The enterprise customer is asking us to provide the fix for 3.3. If you will fix this on the upstream, please backport to OCP 3.3.

Comment 7 Ben Parees 2017-01-12 15:26:01 UTC

https://github.com/openshift/origin/pull/12463

Comment 8 openshift-github-bot 2017-01-12 23:12:25 UTC

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/cd8299b4556452dc0c1543d74253197a8cc37e70
allow proxy values to be specified with non-http git uris

bug 1397475

Comment 12 Wenjing Zheng 2017-01-22 07:38:06 UTC

Verified with below version, git repo can be used when http/s proxy is set：
openshift v3.4.1.0
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0

Comment 14 errata-xmlrpc 2017-01-31 20:18:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0218

Note You need to log in before you can comment on or make changes to this bug.