1527210 – Installer does not configure Kubernetes service IP for no_proxy for the docker-registry.

Bug 1527210 - Installer does not configure Kubernetes service IP for no_proxy for the docker-registry.

Summary: Installer does not configure Kubernetes service IP for no_proxy for the docke...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	3.9.0
Assignee:	Fabian von Feilitzsch
QA Contact:	Gan Huang
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1535783 1540404 (view as bug list)
Depends On:
Blocks:	1511870
TreeView+	depends on / blocked

Reported:	2017-12-18 20:13 UTC by Ryan Howe
Modified:	2018-03-28 14:15 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Kubernetes service IP was not added to no_proxy list for the docker-registry Consequence: Internal registry requests would be forced to use the proxy, preventing logins and pushes to the internal registry. Fix: Added the kubernetes service IP to the no_proxy list Result: The internal registry requests are no longer proxied, and logins and pushes to the internal registry succeed as expected.
Clone Of:
Environment:
Last Closed:	2018-03-28 14:15:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1504464	high	CLOSED	docker-registry pod does not uniformly use hostnames - docker push fails with proxy config	2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution)	3381811	None	None	None	2018-03-14 18:43:15 UTC
Red Hat Product Errata	RHBA-2018:0489	None	None	None	2018-03-28 14:15:53 UTC

Internal Links: 1504464

Description Ryan Howe 2017-12-18 20:13:40 UTC

Description of problem:

After an install of the cluster the deployed registry in 3.6 gets proxy variables set on the deployment configuration. The registry uses the kubernetes service IP to authenticate with user logging into the registry. This IP address does not get set resulting in logins and pushes to fail with the installer deployed registry.  

How reproducible:
100% 


Steps to Reproduce:
1. Install a cluster setting hosted registry vars and proxy vars in the hosts file
 openshift_http_proxy='https://testproxy.com'
 openshift_https_proxy='https://testproxy.com'
 openshift_no_proxy='.hosts.example.com,some-host.com'


Actual results:
    spec:
      containers:
      - env:
        - name: HTTPS_PROXY
          value: https://testproxy.com
        - name: HTTP_PROXY
          value: https://testproxy.com
        - name: NO_PROXY
          value: .cluster.local,.svc,docker-registry,docker-registry.svc,docker-registry.svc.cluster.local,<MASTERURLS>,<MASTERIP_ADDRESSES>,.hosts.example.com,some-host.com



docker login -u test -p `oc whoami -t`  docker-registry.default.svc:5000
Error response from daemon: Get https://docker-registry.default.svc:5000/v2/: unauthorized: authentication required


time="2017-12-18T19:52:23.556930453Z" level=debug msg="invalid token: Get https://172.30.0.1:443/oapi/v1/users/~: malformed HTTP response \"\\x15\\x03\\x01\\x00\\x02\\x02\\x16\"" go.version=go1.7.6 http.request.host="docker-registry.default.svc:5000" http.request.id=f6c021d6-a4e0-468e-8a04-20ac2ca2eb13 http.request.method=GET http.request.remoteaddr="10.129.0.1:48390" http.request.uri="/openshift/token?account=quicklab&client_id=docker&offline_token=true" http.request.useragent="docker/1.12.6 go/go1.8.3 kernel/3.10.0-693.12.1.el7.x86_64 os/linux arch/amd64 UpstreamClient(Docker-Client/1.12.6 \\(linux\\))" instance.id=1a30097d-7820-40f4-9765-0afc1dbdda43 openshift.logger=registry 



Expected results:

The registry get the service IP for the kubernetes service IP, and all internal registry requests do not use the configured proxy. 

Example: 
           value: .cluster.local,.svc,docker-registry,docker-registry.svc,docker-registry.svc.cluster.local,<MASTERURLS>,<MASTERIP_ADDRESSES>,.hosts.example.com,some-host.com,172.30.0.1 

Additional info:

https://github.com/openshift/openshift-ansible/commit/2960dd82cb2d9644f09957a0108ba3f817bd8b8c#diff-1fc9cdb7519394fff35b7aa41bfef936

https://github.com/openshift/openshift-ansible/blob/release-3.6/roles/openshift_hosted/tasks/registry/registry.yml#L64-L70

Comment 2 Scott Dodson 2018-01-25 15:05:31 UTC

*** Bug 1535783 has been marked as a duplicate of this bug. ***

Comment 3 Scott Dodson 2018-01-25 15:06:26 UTC

https://github.com/openshift/openshift-ansible/pull/6215 proposed fix

Comment 5 Gan Huang 2018-02-01 08:31:47 UTC

Verified in openshift-ansible-3.9.0-0.34.0.git.0.c7d9585.el7.noarch.rpm

172.30.0.1 is added to docker-registry NO_PROXY env variable successfully.

And S2I build succeeded.

Comment 6 Scott Dodson 2018-02-07 13:33:04 UTC

*** Bug 1540404 has been marked as a duplicate of this bug. ***

Comment 9 errata-xmlrpc 2018-03-28 14:15:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489

Note You need to log in before you can comment on or make changes to this bug.