1759611 – [Proxy]machine configs are not updated when proxy.config.openshift.io gets updated

Bug 1759611 - [Proxy]machine configs are not updated when proxy.config.openshift.io gets updated

Summary: [Proxy]machine configs are not updated when proxy.config.openshift.io gets up...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Machine Config Operator
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.2.z
Assignee:	Sinny Kumari
QA Contact:	Michael Nguyen
Docs Contact:
URL:
Whiteboard:
Depends On:	1759363
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-08 16:49 UTC by Daneyon Hansen
Modified:	2023-09-07 20:45 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1759363
Environment:
Last Closed:	2019-12-03 22:43:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift machine-config-operator pull 1175	0	'None'	closed	Bug 1759611: [release-4.2] lib/resourcemerge: account for proxy changes	2020-11-26 06:51:31 UTC
Red Hat Product Errata	RHBA-2019:3953	0	None	None	None	2019-12-03 22:43:23 UTC

Comment 1 Kirsten Garrison 2019-11-06 18:05:02 UTC

We will need to do a backport of https://github.com/openshift/machine-config-operator/pull/1174

Sinny can you do a cherrypick ^^ into a new PR for this BZ?

Comment 2 Sinny Kumari 2019-11-07 05:42:53 UTC

PR for the fix is in https://github.com/openshift/machine-config-operator/pull/1175
Since this bug depends on corresponding 4.3 bug https://bugzilla.redhat.com/show_bug.cgi?id=1759363 , we will first need to get BZ#1759363 verified by QE

Comment 4 Micah Abbott 2019-11-27 16:56:00 UTC

Verified with 4.2.0-0.nightly-2019-11-27-102509

```
== Configure VM as Squid Proxy ==
  - Install Fedora in AWS
  - Relax Security Group to allow all traffic in/out
  - dnf -y install squid
  - Edit /etc/squid/squid.conf
      - add `acl Safe_ports port 0-65535`
      - comment out all Safe_ports out
      - s/http_port 3128/http_port 8080
      - add `http_access allow all`
      - comment out `http_access deny CONNECT !SSL_ports`
      - comment out `http_access deny !Safe_ports`
      - comment out `http_access deny all`

== create install config ==
./openshift-install create install-config --dir test

== add proxy to install config ==
vi test/install-config.yaml

proxy:
  httpProxy: http://<ip-of-squid>:8080
  httpsProxy: http://<ip-of-squid>:8080

== install openshift ==
./openshift-install create cluster --dir=test

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-11-27-102509   True        False         9m1s    Cluster version is 4.2.0-0.nightly-2019-11-27-102509


== edit proxy and add noProxy ==
$ oc edit proxy


spec:
  httpProxy: http://<ip-of-squid>:8080
  httpsProxy: http://<ip-of-squid>:8080
  noProxy: .example.com
  trustedCA:
    name: ""

== verify the changes get rolled out to the cluster ==
$ oc get nodes
NAME                           STATUS                     ROLES    AGE   VERSION
ip-10-0-128-130.ec2.internal   Ready                      worker   17m   v1.14.6+31a56cf75
ip-10-0-143-165.ec2.internal   Ready                      master   23m   v1.14.6+31a56cf75
ip-10-0-144-195.ec2.internal   Ready,SchedulingDisabled   worker   17m   v1.14.6+31a56cf75
ip-10-0-146-64.ec2.internal    Ready,SchedulingDisabled   master   23m   v1.14.6+31a56cf75
ip-10-0-162-232.ec2.internal   Ready                      master   23m   v1.14.6+31a56cf75
ip-10-0-174-143.ec2.internal   Ready                      worker   17m   v1.14.6+31a56cf75

== check that the proxy is getting propagated to the host (should see .example.com) ==
$ oc debug node/ip-10-0-128-130.ec2.internal 
Starting pod/ip-10-0-128-130ec2internal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.130
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# grep -ri NO_PROXY /etc/systemd/system
/etc/systemd/system/kubelet.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/machine-config-daemon-host.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/pivot.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/crio.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost

== check mcp / mc for proxy changes ==
 oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED
master   rendered-master-e3187ca22881e6d4ceaa7c811603f585   False     True       False
worker   rendered-worker-e5aab63d54eabc8b174ad7d774cc01e5   False     True       False

$ oc get mc
NAME                                                        GENERATEDBYCONTROLLER                      IGNITIONVERSION   CREATED
00-master                                                   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
00-worker                                                   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-master-container-runtime                                 d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-master-kubelet                                           d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-worker-container-runtime                                 d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-worker-kubelet                                           d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-master-0e49e2e2-1133-11ea-bd77-0a1a4a8977e5-registries   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-master-ssh                                                                                          2.2.0             25m
99-worker-0e58dbc2-1133-11ea-bd77-0a1a4a8977e5-registries   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-worker-ssh                                                                                          2.2.0             25m
rendered-master-302fa35413ecec6d40ab2b6b2b2814fd            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             6m23s
rendered-master-e3187ca22881e6d4ceaa7c811603f585            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
rendered-worker-be325d0d62e7886c48ad6332fd11a5f6            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             6m23s
rendered-worker-e5aab63d54eabc8b174ad7d774cc01e5            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m

$ oc get mc/rendered-master-302fa35413ecec6d40ab2b6b2b2814fd -o yaml | grep example\.com
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
```

Comment 6 errata-xmlrpc 2019-12-03 22:43:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3953

Note You need to log in before you can comment on or make changes to this bug.