Bug 2003657 - (release-4.10) Cluster-wide proxy settings not picked up by insights operator.
Summary: (release-4.10) Cluster-wide proxy settings not picked up by insights operator.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Insights Operator
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.10.0
Assignee: Tomas Remes
QA Contact: Dmitry Misharov
URL:
Whiteboard:
Depends On: 1995937
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-13 11:59 UTC by Tomas Remes
Modified: 2021-10-05 07:24 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1995937
Environment:
Last Closed: 2021-10-05 07:24:35 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift insights-operator pull 495 0 None open Bug 2003657: Respect user defined proxy's CA cert 2021-09-13 12:26:31 UTC

Description Tomas Remes 2021-09-13 11:59:03 UTC
+++ This bug was initially created as a clone of Bug #1995937 +++

Description of problem:

Insights operator is in the state DEGRADED when there is a cluster-wide proxy configured. The below error messages can be seen in the pod logs.

~~~
The operator has some internal errors: Unable to report: unable to build request to connect to Insights server: Post "https://cloud.redhat.com/api/ingress/v1/upload": x509: certificate signed by unknown authority
~~~

Version-Release number of selected component (if applicable):
OCP 4.6

Actual results:
The insights operator becomes degraded.

Expected results:
Insights Operator to take the cluster-wide proxy CA into consideration.

Additional info:

When we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.

--- Additional comment from Tomas Remes on 2021-08-20 10:45:23 UTC ---

The Insights Operator uploads an archive to the ingress service url (mentioned above) and if the upload fails more than 5 times in a row then the operator is marked as degraded. Insights Operator doesn't ignore cluster-wide proxy settings. The settings is "injected" into the Insights Operator container via environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY). Probably the insights-operator is not adding the trustedCA (defined in the cluster proxy) to the root CAs when doing the request. This needs to be investigated and possibly fixed!

--- Additional comment from Tomas Remes on 2021-08-23 14:02:21 UTC ---

Sorry for the possibly recurring question, but can you @harsharm please confirm that this is basically a request to read and respect the CA (defined via "trustedCA" in cluster-wide proxy) in the Insights Operator? Maybe it would be also good to mention some workaround (if any).

--- Additional comment from  on 2021-08-24 09:56:09 UTC ---

Yes that is correct, when we make the Operator aware about the CA, by updating the CA explicitly, and then try curl --cacert /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt https://cloud.redhat.com from the Insights Operator pod it works. The insights operator also comes out of degraded state.

Comment 2 Dmitry Misharov 2021-10-05 07:24:35 UTC
Closed because it's not a bug https://bugzilla.redhat.com/show_bug.cgi?id=1995937#c4


Note You need to log in before you can comment on or make changes to this bug.