Bug 1759611 - [Proxy]machine configs are not updated when proxy.config.openshift.io gets updated
Summary: [Proxy]machine configs are not updated when proxy.config.openshift.io gets up...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Machine Config Operator
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.2.z
Assignee: Sinny Kumari
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On: 1759363
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-08 16:49 UTC by Daneyon Hansen
Modified: 2019-12-06 20:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1759363
Environment:
Last Closed: 2019-12-03 22:43:11 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift machine-config-operator pull 1175 'None' closed Bug 1759611: [release-4.2] lib/resourcemerge: account for proxy changes 2020-06-16 08:41:56 UTC
Red Hat Product Errata RHBA-2019:3953 None None None 2019-12-03 22:43:23 UTC

Comment 1 Kirsten Garrison 2019-11-06 18:05:02 UTC
We will need to do a backport of https://github.com/openshift/machine-config-operator/pull/1174

Sinny can you do a cherrypick ^^ into a new PR for this BZ?

Comment 2 Sinny Kumari 2019-11-07 05:42:53 UTC
PR for the fix is in https://github.com/openshift/machine-config-operator/pull/1175
Since this bug depends on corresponding 4.3 bug https://bugzilla.redhat.com/show_bug.cgi?id=1759363 , we will first need to get BZ#1759363 verified by QE

Comment 4 Micah Abbott 2019-11-27 16:56:00 UTC
Verified with 4.2.0-0.nightly-2019-11-27-102509

```
== Configure VM as Squid Proxy ==
  - Install Fedora in AWS
  - Relax Security Group to allow all traffic in/out
  - dnf -y install squid
  - Edit /etc/squid/squid.conf
      - add `acl Safe_ports port 0-65535`
      - comment out all Safe_ports out
      - s/http_port 3128/http_port 8080
      - add `http_access allow all`
      - comment out `http_access deny CONNECT !SSL_ports`
      - comment out `http_access deny !Safe_ports`
      - comment out `http_access deny all`

== create install config ==
./openshift-install create install-config --dir test

== add proxy to install config ==
vi test/install-config.yaml

proxy:
  httpProxy: http://<ip-of-squid>:8080
  httpsProxy: http://<ip-of-squid>:8080

== install openshift ==
./openshift-install create cluster --dir=test

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.2.0-0.nightly-2019-11-27-102509   True        False         9m1s    Cluster version is 4.2.0-0.nightly-2019-11-27-102509


== edit proxy and add noProxy ==
$ oc edit proxy


spec:
  httpProxy: http://<ip-of-squid>:8080
  httpsProxy: http://<ip-of-squid>:8080
  noProxy: .example.com
  trustedCA:
    name: ""

== verify the changes get rolled out to the cluster ==
$ oc get nodes
NAME                           STATUS                     ROLES    AGE   VERSION
ip-10-0-128-130.ec2.internal   Ready                      worker   17m   v1.14.6+31a56cf75
ip-10-0-143-165.ec2.internal   Ready                      master   23m   v1.14.6+31a56cf75
ip-10-0-144-195.ec2.internal   Ready,SchedulingDisabled   worker   17m   v1.14.6+31a56cf75
ip-10-0-146-64.ec2.internal    Ready,SchedulingDisabled   master   23m   v1.14.6+31a56cf75
ip-10-0-162-232.ec2.internal   Ready                      master   23m   v1.14.6+31a56cf75
ip-10-0-174-143.ec2.internal   Ready                      worker   17m   v1.14.6+31a56cf75

== check that the proxy is getting propagated to the host (should see .example.com) ==
$ oc debug node/ip-10-0-128-130.ec2.internal 
Starting pod/ip-10-0-128-130ec2internal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.128.130
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# grep -ri NO_PROXY /etc/systemd/system
/etc/systemd/system/kubelet.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/machine-config-daemon-host.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/pivot.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost
/etc/systemd/system/crio.service.d/10-default-env.conf:Environment=NO_PROXY=.cluster.local,.ec2.internal,.example.com,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.miabbott-4.2-nightly.devcluster.openshift.com,etcd-0.miabbott-4.2-nightly.devcluster.openshift.com,etcd-1.miabbott-4.2-nightly.devcluster.openshift.com,etcd-2.miabbott-4.2-nightly.devcluster.openshift.com,localhost

== check mcp / mc for proxy changes ==
 oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED
master   rendered-master-e3187ca22881e6d4ceaa7c811603f585   False     True       False
worker   rendered-worker-e5aab63d54eabc8b174ad7d774cc01e5   False     True       False

$ oc get mc
NAME                                                        GENERATEDBYCONTROLLER                      IGNITIONVERSION   CREATED
00-master                                                   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
00-worker                                                   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-master-container-runtime                                 d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-master-kubelet                                           d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-worker-container-runtime                                 d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
01-worker-kubelet                                           d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-master-0e49e2e2-1133-11ea-bd77-0a1a4a8977e5-registries   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-master-ssh                                                                                          2.2.0             25m
99-worker-0e58dbc2-1133-11ea-bd77-0a1a4a8977e5-registries   d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
99-worker-ssh                                                                                          2.2.0             25m
rendered-master-302fa35413ecec6d40ab2b6b2b2814fd            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             6m23s
rendered-master-e3187ca22881e6d4ceaa7c811603f585            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m
rendered-worker-be325d0d62e7886c48ad6332fd11a5f6            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             6m23s
rendered-worker-e5aab63d54eabc8b174ad7d774cc01e5            d780d197a9c5848ba786982c0c4aaa7487297046   2.2.0             24m

$ oc get mc/rendered-master-302fa35413ecec6d40ab2b6b2b2814fd -o yaml | grep example\.com
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
          source: data:,%5BService%5D%0AEnvironment%3DHTTP_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DHTTPS_PROXY%3Dhttp%3A%2F%2F54.83.158.238%3A8080%0AEnvironment%3DNO_PROXY%3D.cluster.local%2C.ec2.internal%2C.example.com%2C.svc%2C10.0.0.0%2F16%2C10.128.0.0%2F14%2C127.0.0.1%2C169.254.169.254%2C172.30.0.0%2F16%2Capi-int.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-0.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-1.miabbott-4.2-nightly.devcluster.openshift.com%2Cetcd-2.miabbott-4.2-nightly.devcluster.openshift.com%2Clocalhost%0A
```

Comment 6 errata-xmlrpc 2019-12-03 22:43:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3953


Note You need to log in before you can comment on or make changes to this bug.