Bug 1758663 - [Proxy]cluster external endpoints should be noProxy for installer
Summary: [Proxy]cluster external endpoints should be noProxy for installer
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.2.z
Assignee: Daneyon Hansen
QA Contact: Gaoyun Pei
Depends On: 1757975
TreeView+ depends on / blocked
Reported: 2019-10-04 18:59 UTC by Daneyon Hansen
Modified: 2019-11-08 12:52 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1757975
Last Closed: 2019-11-08 08:08:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 2471 0 'None' 'closed' '[release-4.2] Bug 1758663: asset/manifests: Removes external api server from default noProxy' 2019-12-04 09:28:56 UTC

Description Daneyon Hansen 2019-10-04 18:59:48 UTC
+++ This bug was initially created as a clone of Bug #1757975 +++

Description of problem:
Same as bz 1757973. Based on feedback from @deads2k, it's preferred to not automatically add cluster external endpoints (i.e. routes) to the default noProxy list. By doing so, we provide users the ability to choose whether or not to proxy these connections.

Version-Release number of the following components:

How reproducible:

Steps to Reproduce:
1. Create a cluster with proxy enabled
2. Check the status.noProxy and you will see the api-server external url

Actual results:
$ oc get proxy/cluster -o yaml | grep status -A 2
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,,,,,,api-int.proxy.devcluster.openshift.com,api.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost

Expected results:
$ oc get proxy/cluster -o yaml | grep status -A 2
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,,,,,,api-int.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

--- Additional comment from Daneyon Hansen on 2019-10-04 16:18:08 UTC ---

Per recommendations from @deads2k, cluster external endpoints will not automatically be aded to noProxy. This will provide users the option whether or not to added these endpoints to noProxy.

Comment 1 Scott Dodson 2019-10-14 17:15:03 UTC
4.2 bug was closed NOTABUG, closing this similarly


Comment 2 Daneyon Hansen 2019-10-14 17:27:56 UTC
https://github.com/openshift/installer/pull/2471 is the PR to fix this bug.

Comment 7 Johnny Liu 2019-10-28 06:56:59 UTC
The PR would cause BZ#1766066

Comment 8 Gaoyun Pei 2019-10-29 11:08:03 UTC
Since https://github.com/openshift/cluster-network-operator/pull/334 not merged yet, the installation with proxy enabled will result in a failure status.

The noProxy list will be different on bootstrap and in cluster, so machine-config operator would complain about that.

Comment 9 Gaoyun Pei 2019-10-29 13:29:13 UTC
So this bug is actually depends on https://bugzilla.redhat.com/show_bug.cgi?id=1758656, the two bugs need to be fixed at the same time.

Comment 10 Daneyon Hansen 2019-10-30 17:34:02 UTC
Yes, the 2 PR's associated to the 2 bz's must be merged together.

Comment 11 W. Trevor King 2019-10-31 04:21:03 UTC
https://github.com/openshift/cluster-network-operator/pull/334 landed 8h ago and bug 1758656 is ON_QA.  Moving this one back to ON_QA now that it can be verified.

Comment 12 W. Trevor King 2019-10-31 04:27:45 UTC
Actually, other bug is MODIFIED, not ON_QA [1].  Moving this one back to ASSIGNED while we wait for a new 4.2 nightly.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1758656#c2

Comment 14 Gaoyun Pei 2019-11-05 11:07:33 UTC
Verify this bug with payload 4.2.0-0.nightly-2019-11-04-231442, external api server address was removed from default noProxy list.

In cluster:

# oc get proxy cluster -o jsonpath='{.status.noProxy}'

On bootstrap:

[root@ip-10-0-53-40 ~]# env |grep NO_PROXY

Comment 15 Gaoyun Pei 2019-11-08 08:08:06 UTC
https://github.com/openshift/installer/pull/2640 revert the changes and confirmed this on payload 4.2.0-0.nightly-2019-11-08-012816.

On bootstrap:
[root@ip-10-0-48-10 ~]# env |grep NO_PROXY

In cluster:
# oc get proxy cluster -o jsonpath='{.status.noProxy}'

At this point, we shouldn't need this change, as such I'm closing this bug as WONTFIX. Please re-open this bug if this was still something we need to address later.

Note You need to log in before you can comment on or make changes to this bug.