Bug 1995937 - Cluster-wide proxy settings not picked up by insights operator.
Summary: Cluster-wide proxy settings not picked up by insights operator.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Insights Operator
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Tomas Remes
QA Contact: Dmitry Misharov
URL:
Whiteboard:
Depends On:
Blocks: 2003657
TreeView+ depends on / blocked
 
Reported: 2021-08-20 08:55 UTC by harsharm
Modified: 2024-12-20 20:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2003657 (view as bug list)
Environment:
Last Closed: 2021-10-04 09:56:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description harsharm 2021-08-20 08:55:08 UTC 
Description of problem:

Insights operator is in the state DEGRADED when there is a cluster-wide proxy configured. The below error messages can be seen in the pod logs.

~~~
The operator has some internal errors: Unable to report: unable to build request to connect to Insights server: Post "https://cloud.redhat.com/api/ingress/v1/upload": x509: certificate signed by unknown authority
~~~

Version-Release number of selected component (if applicable):
OCP 4.6

Actual results:
The insights operator becomes degraded.

Expected results:
Insights Operator to take the cluster-wide proxy CA into consideration.

Additional info:

When we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.
Comment 1 Tomas Remes 2021-08-20 10:45:23 UTC 
The Insights Operator uploads an archive to the ingress service url (mentioned above) and if the upload fails more than 5 times in a row then the operator is marked as degraded. Insights Operator doesn't ignore cluster-wide proxy settings. The settings is "injected" into the Insights Operator container via environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY). Probably the insights-operator is not adding the trustedCA (defined in the cluster proxy) to the root CAs when doing the request. This needs to be investigated and possibly fixed!
Comment 2 Tomas Remes 2021-08-23 14:02:21 UTC 
Sorry for the possibly recurring question, but can you @harsharm please confirm that this is basically a request to read and respect the CA (defined via "trustedCA" in cluster-wide proxy) in the Insights Operator? Maybe it would be also good to mention some workaround (if any).
Comment 3 harsharm 2021-08-24 09:56:09 UTC 
Yes that is correct, when we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.
Comment 4 Tomas Remes 2021-10-04 09:56:22 UTC 
I can't reproduce this problem. Note that the Insights operator always looks at the data in the corresponding config map containing also the user defined CA cert and thus the certificate should be respected. See https://github.com/openshift/insights-operator/blob/master/pkg/insights/insightsclient/insightsclient.go#L106
Note You need to log in before you can comment on or make changes to this bug.