Description of problem:
- According to https://docs.openshift.com/container-platform/3.5/install_config/http_proxies.html#configuring-no-proxy, etcd IPs are not necessary to be added in master-controllers of NO_PROXY. However, we experienced an issue if there are no etcd's IP in NO_PROXY of /etc/sysconfig/atomic-openshift-master-controllers
Version-Release number of selected component (if applicable):
- OCP 3.5
Steps to Reproduce:
1. Install OCP 3.5 behind the proxy
- master-controllers keeps restarding with below error.
atomic-openshift-master-controllers: ; error #1: Forbidden
atomic-openshift-master-controllers: ; error #2: Forbidden
atomic-openshift-master-controllers: E0530 14:05:07.264674 72302 leaderlease.go:95] unable to check lease openshift.io/leases/controllers: Forbidden
atomic-openshift-master-controllers: E0530 14:05:07.295492 72302 leaderlease.go:87] client: etcd cluster is unavailable or misconfigured; error #0: Forbidden
- OCP should work without NO_PROXY config for the etcd IPs. Otherwise, Docs should mention about it.
- (However, /etc/origin.)
- put the customers' logs in private.
I would expect the etcd hosts to be included in NO_PROXY for the openshift-master and openshift-master-controllers
Not sure if this is docs or ansible or both
Reviewing the playbooks the etcd hosts should automatically be added to the NO_PROXY list, can you confirm whether or not the proxy variables were defined manually or by the installer?
Hi Scott, Jordan,
NO_PROXY had etcd's hostname, but it didn't have etcd's IP and we had to add it. Here are the short summary.
1. ansible inventory doesn't have NO_PROXY(=openshift_no_proxy) config for etcd's IP.
2. ansible inventory also doesn't have etcd's IPs, as it defines them as etcd's hostname.
3. After running ansible, NO_PROXY in /etc/sysconfig/atomic-openshift-master-controllers doesn't have etcd's IP.
4. After running ansible, NO_PROXY in /etc/sysconfig/atomic-openshift-master-controllers had etcd's hostname.
5. We had to _manually_ add NO_PROXY=<etcd *IPs*> in /etc/sysconfig/atomic-openshift-master-controllers
/etc/origin/master/master-config.yaml also had etcd's hostname, so I think IPs should not be necessary to be added. (But again, the proxy log showed the access and fixed by adding etcd's IP)
I think the etcd client prefers to connect to the IP address even if you've specified the endpoints using a hostname. We should make sure that the ip address of the etcd endpoints is added via the playbooks too.
Sounds great. Thank you Scott.
*** Bug 1459505 has been marked as a duplicate of this bug. ***
Scott, should this bug be cloned to the Installer?
(In reply to Brenton Leanhardt from comment #12)
> Scott, should this bug be cloned to the Installer?
Yeah, I think we have one already but on the off chance that we don't I'll go ahead and clone it and set it 3.6.1.
See https://github.com/openshift/openshift-docs/pull/4720 for description of changes and links to preview docs.
Looks good to me! Sorry for the late response.
Published changes described in revhistory here: