Bug 1791948 - https proxy validation URL not allowed without explicit httpsProxy configuration
Summary: https proxy validation URL not allowed without explicit httpsProxy configuration
Keywords:
Status: CLOSED DUPLICATE of bug 1798887
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.2.z
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: 4.6.0
Assignee: Aniket Bhat
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-16 18:48 UTC by Chet Hosey
Modified: 2020-06-18 19:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-18 19:23:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1784201 1 None None None 2024-10-01 16:25:29 UTC

Description Chet Hosey 2020-01-16 18:48:34 UTC 
Description of problem:

Per https://bugzilla.redhat.com/show_bug.cgi?id=1784201#c22, in the cluster proxy settings httpsProxy should default to the value of httpProxy.

However specifying an HTTPS validation URL will fail unless httpsProxy is explicitly given.


Version-Release number of selected component (if applicable):

4.2.13


How reproducible:

100%


Steps to Reproduce:
1. Specify httpProxy but not httpsProxy
2. Add an HTTPS readiness endpoint
3. Observe network operator state


Actual results:

From `oc describe clusteroperator network`:

    Last Transition Time:  2020-01-15T19:06:10Z
    Message:               The configuration is invalid for proxy 'cluster' (httpsProxy must be set when using a https proxy readinessEndpoint). Use 'oc edit proxy.config.openshift.io cluster' to fix.
    Reason:                InvalidProxyConfig
    Status:                True
    Type:                  Degraded


Expected results:

Either httpsProxy should explicitly *not* default to httpProxy, or HTTPS readiness endpoints should work when only httpProxy is given.

It would be unpleasantly surprising to find out that HTTPS readiness endpoints weren't supported, yet the cluster was still implicitly proxying HTTPS traffic, when only httpProxy is specified.


Additional info:

Minimal impact since the admin can always specify httpsProxy explicitly.
Comment 3 Daneyon Hansen 2020-06-18 19:23:39 UTC 
This BZ is a dupe of BZ 1798887. I verified the fix for BZ 1798887 solves the issue reported in this BZ.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-06-16-145419   True        False         74m     Cluster version is 4.6.0-0.nightly-2020-06-16-145419

$ oc get proxy/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
<SNIP>
spec:
  httpProxy: http://<SNIP>
  readinessEndpoints:
  - https://www.google.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://<SNIP>
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.dhansen.devcluster.openshift.com,etcd-0.dhansen.devcluster.openshift.com,etcd-1.dhansen.devcluster.openshift.com,etcd-2.dhansen.devcluster.openshift.com,localhost

CNO logs:
# Before updating the proxy/cluster with the above config
2020/06/18 12:07:51 Reconciling Network.config.openshift.io cluster
2020/06/18 12:07:51 Reconciling proxy 'cluster'
2020/06/18 12:07:51 httpProxy, httpsProxy and noProxy not defined for proxy 'cluster'; validation will be skipped
<SNIP>
# After updating the proxy/cluster with the above config
2020/06/18 12:09:36 Reconciling proxy 'cluster'
2020/06/18 12:09:36 Reconciling proxy 'cluster' complete
2020/06/18 12:09:37 Reconciling configmap from  openshift-config-managed/trusted-ca-bundle
2020/06/18 12:09:37 trusted-ca-bundle changed, updating 18 configMaps
2020/06/18 12:09:37 Reconciling proxy 'cluster'
2020/06/18 12:09:37 Reconciling proxy 'cluster' complete
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/thanos-querier-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-cloud-credential-operator/cco-trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/grafana-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-ingress-operator/trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/alertmanager-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-insights/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/telemeter-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-apiserver/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-controller-manager/openshift-global-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-authentication-operator/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-kube-controller-manager/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/prometheus-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-apiserver-operator/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-console/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-kube-apiserver/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-authentication/v4-0-config-system-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-marketplace/marketplace-trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-image-registry/trusted-ca
<SNIP>

*** This bug has been marked as a duplicate of bug 1798887 ***
Note You need to log in before you can comment on or make changes to this bug.