Bug 1798609 - Report a metric about proxy enablement on the cluster and via telemetry
Summary: Report a metric about proxy enablement on the cluster and via telemetry
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: Clayton Coleman
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-05 16:17 UTC by Clayton Coleman
Modified: 2020-05-13 21:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-13 21:56:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 743 0 None closed Bug 1798609: Report a metric about proxy enablement 2020-03-09 07:38:15 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-13 21:56:17 UTC

Description Clayton Coleman 2020-02-05 16:17:48 UTC 
Proxy enablement is a key indicator of a class of environments and problems, and should be easily understandable from a cluster.

Add to kube-apiserver-operator like cluster_infrastructure_provider and feature set (since these are the heart of the system and already leverage the config).  Report whether the proxy is enabled for http, https, and whether it has a CA.
Comment 2 Xingxing Xia 2020-02-12 01:23:27 UTC 
> ... cluster_infrastructure_provider and feature set (since these are the heart of the system and already leverage the config)
Related bug 1766518 and bug 1731232 for reference
> Report whether the proxy is enabled for http, https, and whether it has a CA
This bug's purpose to verify
Comment 3 Ke Wang 2020-02-18 06:27:00 UTC 
Verified with 4.4.0-0.nightly-2020-02-17-231058.
1. Enabled the cluster http/https proxy server and trustedCA.
a) Create a file called user-ca-bundle.yaml with the following contents, and provide the values of your PEM-encoded certificates:

apiVersion: v1
data:
  ca-bundle.crt: | 
    <MY_PEM_ENCODED_CERTS> 
kind: ConfigMap
metadata:
  name: user-ca-bundle 
  namespace: openshift-config


b) Create the ConfigMap from this file:

$ oc create -f user-ca-bundle.yaml

c) oc edit proxy/cluster # Configure the necessary fields for the proxy:

apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://<username>:<pswd>@<ip>:<port> 
  httpsProxy: http://<username>:<pswd>@<ip>:<port> 
  noProxy: example.com 
  trustedCA:
    name: user-ca-bundle 

2. 
$ TK=`oc sa get-token cluster-monitoring-operator -n openshift-monitoring`
# pod_name=$(oc -n openshift-apiserver-operator get pods -o name | cut -d/ -f2)
# op_endp=$(oc get ep -n openshift-kube-apiserver-operator | grep 8443 | awk '{print $2}')
# o  -n openshift-apiserver-operator exec -it $pod_name -- curl -k -H "Authorization: Bearer $TK" https://$op_endp/metrics > metrics

$ grep cluster_proxy  metrics 
# HELP cluster_proxy_enabled Reports whether the cluster has been configured to use a proxy. type is which type of proxy configuration has been set - http for an http proxy, https for an https proxy, and trusted_ca if a custom CA was specified.
# TYPE cluster_proxy_enabled gauge
cluster_proxy_enabled{type="http"} 1
cluster_proxy_enabled{type="https"} 1
cluster_proxy_enabled{type="trusted_ca"} 1

We can see the cluster_proxy_enabled Reports whether the cluster has been configured to use a proxy in metrics.
Comment 5 errata-xmlrpc 2020-05-13 21:56:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581
Note You need to log in before you can comment on or make changes to this bug.