Bug 1779502 - [IPI on Azure] [proxy] - proxy installation does not work in a restricted network
Summary: [IPI on Azure] [proxy] - proxy installation does not work in a restricted net...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: Abhinav Dahiya
QA Contact: Etienne Simard
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-04 05:30 UTC by Etienne Simard
Modified: 2020-06-18 12:56 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:18:30 UTC
Target Upstream Version:
esimard: needinfo-
mgahagan: needinfo-
esimard: needinfo+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:18:49 UTC

Comment 2 Scott Dodson 2019-12-04 18:15:38 UTC
Requesting serial console output from azure instances to further debug.

Comment 20 Scott Dodson 2020-02-13 17:51:16 UTC
The AWS jobs assume access to S3 storage without proxy use, we'll need to be able to assume the same access to Azure blob storage in these Azure tests as well.

Comment 21 Etienne Simard 2020-02-13 19:44:51 UTC
(In reply to Scott Dodson from comment #20)
> The AWS jobs assume access to S3 storage without proxy use, we'll need to be
> able to assume the same access to Azure blob storage in these Azure tests as
> well.

Hello Scott, do you have a link in the docs or elsewhere that explains that assumption? Should it be included in that list: https://docs.openshift.com/container-platform/4.3/installing/install_config/configuring-firewall.html?

This test was done with the assumption that we wanted to be in a completely internet disconnected network and only allowing outgoing connections through the proxy. Client environments could have similar requirements.

Should an installation work with only the white list of the azure blob storage (*.blob.core.windows.net) + proxy?

Comment 23 Etienne Simard 2020-02-17 18:44:07 UTC
I confirm that I was able to create a cluster with the proxy by adding a whitelist towards Azure public IPs.

Verified with:

DEBUG OpenShift Installer v4.3.1                   
DEBUG Built from commit 2055609f95b19322ee6cfdd0bea73399297c4a3e 

Firewall rules added:

NSG with egress access enabled towards Azure Service Tag "AzureCloud" (https://www.microsoft.com/en-us/download/details.aspx?id=56519)

Comment 27 errata-xmlrpc 2020-05-04 11:18:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.