Bug 1925534 - oc does not support specified proxy-url in kubeconfig during login
Summary: oc does not support specified proxy-url in kubeconfig during login
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.6
Hardware: All
OS: All
Target Milestone: ---
: 4.9.0
Assignee: Robin Cernin
QA Contact: zhou ying
Depends On:
TreeView+ depends on / blocked
Reported: 2021-02-05 13:33 UTC by Jason Kincl
Modified: 2021-08-27 17:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 751 0 None closed Bug 1925534: Add proxy to oc 2021-07-09 08:48:04 UTC

Description Jason Kincl 2021-02-05 13:33:37 UTC
Description of problem:

Kubernetes 1.19 introduced `proxy-url` in the cluster stanza of a kubeconfig file in client-go. This lets you specify a http proxy for all connections to a specific API server[1][2]. When running `oc login` if `proxy-url` already exists it is not used and it is subsequently removed once login is successful. After obtaining a valid token it is possible to add back the `proxy-url` key and all underlying client-go requests respect the setting (`oc get pods` for example)

[1] https://github.com/kubernetes/client-go/issues/351
[2] https://github.com/kubernetes/kubernetes/pull/81443

Version-Release number of selected component (if applicable):

This was introduced in 1.19+ only so OpenShift 4.6+ is affected

How reproducible:


Steps to Reproduce:
1. modify kubeconfig and add `proxy-url`

apiVersion: v1
- cluster:
    server: https://api.testing.local:6443
  name: local-test

2. run `oc login` and see that it does not use the proxy
3. run `http_proxy= oc login` to force the proxy and obtain a token
4. add back `proxy-url` to the cluster configuration in kubeconfig
5. run `oc get pods` to verify that client-go is using the configured proxy-url in kubeconfig

Actual results:

Expected results:

Additional info:

Comment 1 Mike Dame 2021-02-25 20:59:41 UTC
I have not yet had an opportunity to investigate this bug, but will work on it in a future sprint.

Comment 2 Robin Cernin 2021-02-26 02:44:35 UTC
This is not a bug, rather new feature that was added with Kubernetes 1.19+

Every time you run `oc login` or `oc project` kubeconfig will get patched and `proxy-url` gets removed.

For example `oc project` :

$ cat ~/.kube/config | grep 8080

$ oc project default
Already on project "default" on server "https://example.com:6443".

$ cat ~/.kube/config | grep 8080

For example `oc login` : 

$ cat ~/.kube/config | grep 8080
$ oc login --token=sha256~{XXX} --server=https://example.com:6443

Logged into "https://example.com:6443" as "kube:admin" using the token provided.

You have access to 58 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".

$ cat ~/.kube/config | grep 8080

As per the upstream PR for the go-client the use-case is where you are managing several OpenShift clusters, some of them does not require proxy at all and some do and there may be different proxies per cluster.

Workaround can be to use the env HTTP_PROXY or HTTPS_PROXY:

HTTP_PROXY= oc login --token=sha256~{XXX} --server=https://example.com:6443

Comment 9 Robin Cernin 2021-06-27 21:32:21 UTC
For QA:

the --proxy cli argument on `oc login` was rejected, so the only improvement we have done here is the proxy doesn't get removed when kubeconfig is updated:

1. oc login --token=<token> --server=<api>:6443
2. oc config set clusters.<api>:6443.proxy-url

Now you should see proxy-url set on your cluster:

- cluster:
    insecure-skip-tls-verify: true
    server: https://<api>:6443
  name: <api>:6443

This upstream patch fixed that when we changed projects, the proxy-url was removed:

Without patch:

cat ~/.kube/config | grep 8080
./oc project default
Already on project "default" on server "<api>:6443".
cat ~/.kube/config | grep 8080

With patch:

cat ~/.kube/config | grep 8080
./oc project default
Already on project "default" on server "<api>:6443".
cat ~/.kube/config | grep 8080

Comment 11 zhou ying 2021-07-14 05:40:08 UTC
still can reproduce this issue now: 

[root@localhost ~]# cat /root/.kube/config 
apiVersion: v1
- cluster:
    insecure-skip-tls-verify: true
    proxy-url: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@bastion.vmc.ci.openshift.org:3128
    server: https://api.wsunvw14.qe.devcluster.openshift.com:6443
  name: api-wsunvw14-qe-devcluster-openshift-com:6443
- context:
    cluster: api-wsunvw14-qe-devcluster-openshift-com:6443
    namespace: zhouy
    user: testuser-37/api-wsunvw14-qe-devcluster-openshift-com:6443
  name: zhouy/api-wsunvw14-qe-devcluster-openshift-com:6443/testuser-37
current-context: zhouy/api-wsunvw14-qe-devcluster-openshift-com:6443/testuser-37
kind: Config
preferences: {}
- name: testuser-37/api-wsunvw14-qe-devcluster-openshift-com:6443
    token: sha256~yz8MuFGze_7kA61KOf5pF0XGeajYOXxZ2uo9_V7C4z0
[root@localhost ~]# oc get project
zhouy                  Active
[root@localhost ~]#  oc login -u testuser-38 https://api.wsunvw14.qe.devcluster.openshift.com:6443
error: dial tcp i/o timeout - verify you have provided the correct host and port and that the server is currently running.

[root@localhost ~]# oc version --client
Client Version: 4.9.0-0.nightly-2021-07-12-203753

Note You need to log in before you can comment on or make changes to this bug.