Bug 1896705 - Machine API components should honour cluster wide proxy settings
Summary: Machine API components should honour cluster wide proxy settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.6.z
Assignee: Joel Speed
QA Contact: Milind Yadav
URL:
Whiteboard:
Depends On: 1896704 1930150
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-11 10:47 UTC by Joel Speed
Modified: 2022-02-20 13:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1896704
Environment:
Last Closed: 2020-11-30 16:46:09 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-api-operator pull 756 0 None closed [release-4.6] Bug 1896705: Inject cluster-wide proxy configuration in to machine-api-controller deployment 2021-02-18 07:09:15 UTC
Red Hat Issue Tracker RFE-799 0 None None None 2022-02-20 13:48:12 UTC
Red Hat Product Errata RHBA-2020:5115 0 None None None 2020-11-30 16:46:29 UTC

Description Joel Speed 2020-11-11 10:47:58 UTC
+++ This bug was initially created as a clone of Bug #1896704 +++

Description of problem:

In all environments that leverage the Machine API, components in the machine-api-controllers pod contact external cloud provider APIs.

When a customer has configured a cluster-wide-proxy, they expect all traffic leaving a cluster to route via the configured proxy.

Machine API components currently ignore this setting and route traffic directly to the cloud provider APIs regardless of any configured cluster-wide-proxy.

This means that customers have to make exceptions in their networking configuration and in their security practices to allow Machine API to work in a disconnected/restricted network environment.

Machine API should honour the cluster-wide-proxy settings as all other components within OCP 4 do.


Version-Release number of selected component (if applicable):

All (in particular we want this fixed in 4.6 and 4.7)


How reproducible:

100%

Steps to Reproduce:
1. Create an OCP cluster
2. Create a cluster-wide-proxy 
3. Restrict egress traffic so that only the proxy is allowed egress

Actual results:

Machine API will now be broken as it cannot reach the cloud provider API

Expected results:

Machine API should send traffic to the cloud provider via the proxy

Additional info:

Comment 1 Joel Speed 2020-11-13 11:46:40 UTC
This is blocked on the PR being merged into the 4.7 branch and then being verified, hopefully we will be able to get that done by end of next sprint

Comment 4 Milind Yadav 2020-11-25 09:18:37 UTC
Validated on - 4.6.0-0.nightly-2020-11-22-160856

This can be easily validated with successful installation after using the new templates which removes ways that were done earlier for machine-api to work in proxy env.

Successfully validated with below proxy installation being success

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124171/console -azure

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124176/console - gcp

https://mastern-jenkins-csb-openshift-qe.cloud.paas.psi.redhat.com/job/Launch%20Environment%20Flexy/124047/console - AWS 

Additional info:
Moved to VERIFIED

Comment 7 errata-xmlrpc 2020-11-30 16:46:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5115


Note You need to log in before you can comment on or make changes to this bug.