Jon, could we please verify it?
Verified in 4.7.0-0.nightly-2021-06-10-213131 on top of OSP 13.0.15 (2021-03-24.1) with TLS (and self-signed cert) in public endpoints enabled. A squid proxy has been deployed and configured in install-config.yaml: proxy: httpProxy: "http://dummy:dummy@10.46.22.225:3128" httpsProxy: "https://dummy:dummy@10.46.22.225:3130" noProxy: oauth-openshift.apps.ostest.shiftstack.com In OCP 4.7, as the cacert param from the clouds.yaml is considered instead of system wide CA trust bundle, the cacert param in clouds.yaml needs to point to a pem file that includes both proxy's CA cert and Openstack's CA cert. On the other hand, the proxy has Openstack's CA cert in it's trusted bundle. 10.46.22.225 is the proxy's IP 10.46.22.204:13292 is Openstack Glance API endpoint 10.46.22.227 is the bootstrap VM's IP $ openstack server list +--------------------------------------+------------------------+--------+----------------------------------------------------+---------------------------------------+-----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+------------------------+--------+----------------------------------------------------+---------------------------------------+-----------+ |... | 9b8270ca-f5c4-47ba-a027-b59e61d1cabf | ostest-t8tq9-bootstrap | ACTIVE | ostest-t8tq9-openshift=10.196.3.196, 10.46.22.227 | ostest-t8tq9-rhcos | m4.xlarge | |... +--------------------------------------+------------------------+--------+----------------------------------------------------+---------------------------------------+-----------+ The bootstrap VM shows this message when booting up (note the host it queries is the final glance endpoint): [ 10.837268] ignition[718]: GET https://10.46.22.204:13292//v2/images/ce4da679-cb37-48ec-a2cb-448261d515e4/file: attempt #1 [ 12.836066] ignition[718]: GET result: OK And the access.log squid file shows: 1623405757.805 1900 10.46.22.227 TCP_TUNNEL/200 323265 CONNECT 10.46.22.204:13292 - HIER_DIRECT/10.46.22.204 - which means the tunnel between the bootstrap (10.46.22.227) and OSP glance endpoint (10.46.22.204:13292) has been stablished. I've run additional comprobations by stopping the proxy server when the bootstrap VM is booting up, and got this messages from the VM: [ 9.708206] ignition[720]: GET https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file: attempt #1 [ 9.715040] ignition[720]: GET error: Get "https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file": proxyconnect tcp: dial tcp 10.46.22.225:3130: connect: connection refused [ 9.908533] ignition[720]: GET https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file: attempt #2 [ 9.915513] ignition[720]: GET error: Get "https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file": proxyconnect tcp: dial tcp 10.46.22.225:3130: connect: connection refused [ 10.316173] ignition[720]: GET https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file: attempt #3 [ 10.323627] ignition[720]: GET error: Get "https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file": proxyconnect tcp: dial tcp 10.46.22.225:3130: connect: connection refused [ 11.117828] ignition[720]: GET https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file: attempt #4 [ 11.124789] ignition[720]: GET error: Get "https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file": proxyconnect tcp: dial tcp 10.46.22.225:3130: connect: connection refused [ 12.719991] ignition[720]: GET https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file: attempt #5 [ 12.727253] ignition[720]: GET error: Get "https://10.46.22.204:13292//v2/images/77e6e802-4f64-4d5d-93fc-bc9a76c98768/file": proxyconnect tcp: dial tcp 10.46.22.225:3130: connect: connection refused which means 1. the GET request is towards OSP glance API (10.46.22.204), so it's transparent proxy 2. the proxy is correctly configured as it fails with the connection refused from the proxy (10.46.22.225)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.16 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2286