Bug 1758663 - [Proxy]cluster external endpoints should be noProxy for installer
Summary: [Proxy]cluster external endpoints should be noProxy for installer
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.2.z
Assignee: Daneyon Hansen
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On: 1757975
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-04 18:59 UTC by Daneyon Hansen
Modified: 2019-11-08 12:52 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1757975
Environment:
Last Closed: 2019-11-08 08:08:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift installer pull 2471 'None' 'closed' '[release-4.2] Bug 1758663: asset/manifests: Removes external api server from default noProxy' 2019-12-04 09:28:56 UTC

Description Daneyon Hansen 2019-10-04 18:59:48 UTC
+++ This bug was initially created as a clone of Bug #1757975 +++

Description of problem:
Same as bz 1757973. Based on feedback from @deads2k, it's preferred to not automatically add cluster external endpoints (i.e. routes) to the default noProxy list. By doing so, we provide users the ability to choose whether or not to proxy these connections.

Version-Release number of the following components:
4.3.0-0.okd-2019-10-02-19155

How reproducible:
Always

Steps to Reproduce:
1. Create a cluster with proxy enabled
2. Check the status.noProxy and you will see the api-server external url

Actual results:
$ oc get proxy/cluster -o yaml | grep status -A 2
status:
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@35.196.128.173:3128
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.proxy.devcluster.openshift.com,api.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost

Expected results:
$ oc get proxy/cluster -o yaml | grep status -A 2
status:
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@35.196.128.173:3128
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost


Additional info:
Please attach logs from ansible-playbook with the -vvv flag

--- Additional comment from Daneyon Hansen on 2019-10-04 16:18:08 UTC ---

Per recommendations from @deads2k, cluster external endpoints will not automatically be aded to noProxy. This will provide users the option whether or not to added these endpoints to noProxy.

Comment 1 Scott Dodson 2019-10-14 17:15:03 UTC
4.2 bug was closed NOTABUG, closing this similarly

https://bugzilla.redhat.com/show_bug.cgi?id=1757975#c1

Comment 2 Daneyon Hansen 2019-10-14 17:27:56 UTC
https://github.com/openshift/installer/pull/2471 is the PR to fix this bug.

Comment 7 Johnny Liu 2019-10-28 06:56:59 UTC
The PR would cause BZ#1766066

Comment 8 Gaoyun Pei 2019-10-29 11:08:03 UTC
Since https://github.com/openshift/cluster-network-operator/pull/334 not merged yet, the installation with proxy enabled will result in a failure status.

The noProxy list will be different on bootstrap and in cluster, so machine-config operator would complain about that.

Comment 9 Gaoyun Pei 2019-10-29 13:29:13 UTC
So this bug is actually depends on https://bugzilla.redhat.com/show_bug.cgi?id=1758656, the two bugs need to be fixed at the same time.

Comment 10 Daneyon Hansen 2019-10-30 17:34:02 UTC
Yes, the 2 PR's associated to the 2 bz's must be merged together.

Comment 11 W. Trevor King 2019-10-31 04:21:03 UTC
https://github.com/openshift/cluster-network-operator/pull/334 landed 8h ago and bug 1758656 is ON_QA.  Moving this one back to ON_QA now that it can be verified.

Comment 12 W. Trevor King 2019-10-31 04:27:45 UTC
Actually, other bug is MODIFIED, not ON_QA [1].  Moving this one back to ASSIGNED while we wait for a new 4.2 nightly.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1758656#c2

Comment 14 Gaoyun Pei 2019-11-05 11:07:33 UTC
Verify this bug with payload 4.2.0-0.nightly-2019-11-04-231442, external api server address was removed from default noProxy list.

In cluster:

# oc get proxy cluster -o jsonpath='{.status.noProxy}'
.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-421.qe.devcluster.openshift.com,etcd-0.gpei-421.qe.devcluster.openshift.com,etcd-1.gpei-421.qe.devcluster.openshift.com,etcd-2.gpei-421.qe.devcluster.openshift.com,localhost,test.no-proxy.com


On bootstrap:

[root@ip-10-0-53-40 ~]# env |grep NO_PROXY
NO_PROXY=.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-421.qe.devcluster.openshift.com,etcd-0.gpei-421.qe.devcluster.openshift.com,etcd-1.gpei-421.qe.devcluster.openshift.com,etcd-2.gpei-421.qe.devcluster.openshift.com,localhost,test.no-proxy.com

Comment 15 Gaoyun Pei 2019-11-08 08:08:06 UTC
https://github.com/openshift/installer/pull/2640 revert the changes and confirmed this on payload 4.2.0-0.nightly-2019-11-08-012816.

On bootstrap:
[root@ip-10-0-48-10 ~]# env |grep NO_PROXY
NO_PROXY=.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.qe-gpei-1758663.qe.devcluster.openshift.com,api.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-0.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-1.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-2.qe-gpei-1758663.qe.devcluster.openshift.com,localhost,test.no-proxy.com

In cluster:
# oc get proxy cluster -o jsonpath='{.status.noProxy}'
.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.qe-gpei-1758663.qe.devcluster.openshift.com,api.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-0.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-1.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-2.qe-gpei-1758663.qe.devcluster.openshift.com,localhost,test.no-proxy.com

At this point, we shouldn't need this change, as such I'm closing this bug as WONTFIX. Please re-open this bug if this was still something we need to address later.


Note You need to log in before you can comment on or make changes to this bug.