Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1758663

Summary: [Proxy]cluster external endpoints should be noProxy for installer
Product: OpenShift Container Platform Reporter: Daneyon Hansen <dhansen>
Component: InstallerAssignee: Daneyon Hansen <dhansen>
Installer sub component: openshift-installer QA Contact: Gaoyun Pei <gpei>
Status: CLOSED WONTFIX Docs Contact:
Severity: high    
Priority: unspecified CC: bparees, gpei, jialiu, wking
Version: 4.2.0Keywords: Reopened
Target Milestone: ---   
Target Release: 4.2.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1757975 Environment:
Last Closed: 2019-11-08 08:08:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1757975    
Bug Blocks:    

Description Daneyon Hansen 2019-10-04 18:59:48 UTC 
+++ This bug was initially created as a clone of Bug #1757975 +++

Description of problem:
Same as bz 1757973. Based on feedback from @deads2k, it's preferred to not automatically add cluster external endpoints (i.e. routes) to the default noProxy list. By doing so, we provide users the ability to choose whether or not to proxy these connections.

Version-Release number of the following components:
4.3.0-0.okd-2019-10-02-19155

How reproducible:
Always

Steps to Reproduce:
1. Create a cluster with proxy enabled
2. Check the status.noProxy and you will see the api-server external url

Actual results:
$ oc get proxy/cluster -o yaml | grep status -A 2
status:
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@35.196.128.173:3128
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.proxy.devcluster.openshift.com,api.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost

Expected results:
$ oc get proxy/cluster -o yaml | grep status -A 2
status:
  httpProxy: http://ewolinet:5f6ccbbbafc66013d012839921ada773@35.196.128.173:3128
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.proxy.devcluster.openshift.com,etcd-0.proxy.devcluster.openshift.com,etcd-1.proxy.devcluster.openshift.com,etcd-2.proxy.devcluster.openshift.com,localhost


Additional info:
Please attach logs from ansible-playbook with the -vvv flag

--- Additional comment from Daneyon Hansen on 2019-10-04 16:18:08 UTC ---

Per recommendations from @deads2k, cluster external endpoints will not automatically be aded to noProxy. This will provide users the option whether or not to added these endpoints to noProxy.
Comment 1 Scott Dodson 2019-10-14 17:15:03 UTC 
4.2 bug was closed NOTABUG, closing this similarly

https://bugzilla.redhat.com/show_bug.cgi?id=1757975#c1
Comment 2 Daneyon Hansen 2019-10-14 17:27:56 UTC 
https://github.com/openshift/installer/pull/2471 is the PR to fix this bug.
Comment 7 Johnny Liu 2019-10-28 06:56:59 UTC 
The PR would cause BZ#1766066
Comment 8 Gaoyun Pei 2019-10-29 11:08:03 UTC 
Since https://github.com/openshift/cluster-network-operator/pull/334 not merged yet, the installation with proxy enabled will result in a failure status.

The noProxy list will be different on bootstrap and in cluster, so machine-config operator would complain about that.
Comment 9 Gaoyun Pei 2019-10-29 13:29:13 UTC 
So this bug is actually depends on https://bugzilla.redhat.com/show_bug.cgi?id=1758656, the two bugs need to be fixed at the same time.
Comment 10 Daneyon Hansen 2019-10-30 17:34:02 UTC 
Yes, the 2 PR's associated to the 2 bz's must be merged together.
Comment 11 W. Trevor King 2019-10-31 04:21:03 UTC 
https://github.com/openshift/cluster-network-operator/pull/334 landed 8h ago and bug 1758656 is ON_QA.  Moving this one back to ON_QA now that it can be verified.
Comment 12 W. Trevor King 2019-10-31 04:27:45 UTC 
Actually, other bug is MODIFIED, not ON_QA [1].  Moving this one back to ASSIGNED while we wait for a new 4.2 nightly.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1758656#c2
Comment 14 Gaoyun Pei 2019-11-05 11:07:33 UTC 
Verify this bug with payload 4.2.0-0.nightly-2019-11-04-231442, external api server address was removed from default noProxy list.

In cluster:

# oc get proxy cluster -o jsonpath='{.status.noProxy}'
.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-421.qe.devcluster.openshift.com,etcd-0.gpei-421.qe.devcluster.openshift.com,etcd-1.gpei-421.qe.devcluster.openshift.com,etcd-2.gpei-421.qe.devcluster.openshift.com,localhost,test.no-proxy.com


On bootstrap:

[root@ip-10-0-53-40 ~]# env |grep NO_PROXY
NO_PROXY=.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-421.qe.devcluster.openshift.com,etcd-0.gpei-421.qe.devcluster.openshift.com,etcd-1.gpei-421.qe.devcluster.openshift.com,etcd-2.gpei-421.qe.devcluster.openshift.com,localhost,test.no-proxy.com
Comment 15 Gaoyun Pei 2019-11-08 08:08:06 UTC 
https://github.com/openshift/installer/pull/2640 revert the changes and confirmed this on payload 4.2.0-0.nightly-2019-11-08-012816.

On bootstrap:
[root@ip-10-0-48-10 ~]# env |grep NO_PROXY
NO_PROXY=.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.qe-gpei-1758663.qe.devcluster.openshift.com,api.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-0.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-1.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-2.qe-gpei-1758663.qe.devcluster.openshift.com,localhost,test.no-proxy.com

In cluster:
# oc get proxy cluster -o jsonpath='{.status.noProxy}'
.cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.qe-gpei-1758663.qe.devcluster.openshift.com,api.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-0.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-1.qe-gpei-1758663.qe.devcluster.openshift.com,etcd-2.qe-gpei-1758663.qe.devcluster.openshift.com,localhost,test.no-proxy.com

At this point, we shouldn't need this change, as such I'm closing this bug as WONTFIX. Please re-open this bug if this was still something we need to address later.