Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1791948

Summary: https proxy validation URL not allowed without explicit httpsProxy configuration
Product: OpenShift Container Platform Reporter: Chet Hosey <ChetRHosey>
Component: NetworkingAssignee: Aniket Bhat <anbhat>
Networking sub component: openshift-sdn QA Contact: zhaozhanqi <zzhao>
Status: CLOSED DUPLICATE Docs Contact:
Severity: medium    
Priority: low CC: aconstan, anbhat, aos-bugs, dhansen, eparis, jokerman
Version: 4.2.zKeywords: UpcomingSprint
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-18 19:23:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chet Hosey 2020-01-16 18:48:34 UTC 
Description of problem:

Per https://bugzilla.redhat.com/show_bug.cgi?id=1784201#c22, in the cluster proxy settings httpsProxy should default to the value of httpProxy.

However specifying an HTTPS validation URL will fail unless httpsProxy is explicitly given.


Version-Release number of selected component (if applicable):

4.2.13


How reproducible:

100%


Steps to Reproduce:
1. Specify httpProxy but not httpsProxy
2. Add an HTTPS readiness endpoint
3. Observe network operator state


Actual results:

From `oc describe clusteroperator network`:

    Last Transition Time:  2020-01-15T19:06:10Z
    Message:               The configuration is invalid for proxy 'cluster' (httpsProxy must be set when using a https proxy readinessEndpoint). Use 'oc edit proxy.config.openshift.io cluster' to fix.
    Reason:                InvalidProxyConfig
    Status:                True
    Type:                  Degraded


Expected results:

Either httpsProxy should explicitly *not* default to httpProxy, or HTTPS readiness endpoints should work when only httpProxy is given.

It would be unpleasantly surprising to find out that HTTPS readiness endpoints weren't supported, yet the cluster was still implicitly proxying HTTPS traffic, when only httpProxy is specified.


Additional info:

Minimal impact since the admin can always specify httpsProxy explicitly.
Comment 3 Daneyon Hansen 2020-06-18 19:23:39 UTC 
This BZ is a dupe of BZ 1798887. I verified the fix for BZ 1798887 solves the issue reported in this BZ.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-06-16-145419   True        False         74m     Cluster version is 4.6.0-0.nightly-2020-06-16-145419

$ oc get proxy/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
<SNIP>
spec:
  httpProxy: http://<SNIP>
  readinessEndpoints:
  - https://www.google.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://<SNIP>
  noProxy: .cluster.local,.svc,.us-west-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.dhansen.devcluster.openshift.com,etcd-0.dhansen.devcluster.openshift.com,etcd-1.dhansen.devcluster.openshift.com,etcd-2.dhansen.devcluster.openshift.com,localhost

CNO logs:
# Before updating the proxy/cluster with the above config
2020/06/18 12:07:51 Reconciling Network.config.openshift.io cluster
2020/06/18 12:07:51 Reconciling proxy 'cluster'
2020/06/18 12:07:51 httpProxy, httpsProxy and noProxy not defined for proxy 'cluster'; validation will be skipped
<SNIP>
# After updating the proxy/cluster with the above config
2020/06/18 12:09:36 Reconciling proxy 'cluster'
2020/06/18 12:09:36 Reconciling proxy 'cluster' complete
2020/06/18 12:09:37 Reconciling configmap from  openshift-config-managed/trusted-ca-bundle
2020/06/18 12:09:37 trusted-ca-bundle changed, updating 18 configMaps
2020/06/18 12:09:37 Reconciling proxy 'cluster'
2020/06/18 12:09:37 Reconciling proxy 'cluster' complete
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/thanos-querier-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-cloud-credential-operator/cco-trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/grafana-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-ingress-operator/trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/alertmanager-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-insights/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/telemeter-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-apiserver/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-controller-manager/openshift-global-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-authentication-operator/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-kube-controller-manager/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-monitoring/prometheus-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-apiserver-operator/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-console/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-kube-apiserver/trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-authentication/v4-0-config-system-trusted-ca-bundle
2020/06/18 12:09:39 Reconciling configmap from  openshift-marketplace/marketplace-trusted-ca
2020/06/18 12:09:39 Reconciling configmap from  openshift-image-registry/trusted-ca
<SNIP>

*** This bug has been marked as a duplicate of bug 1798887 ***