2009629 – Allow adding additionalTrustBundle to proxy without specifying proxy settings during installation

Bug 2009629 - Allow adding additionalTrustBundle to proxy without specifying proxy settings during installation

Summary: Allow adding additionalTrustBundle to proxy without specifying proxy settings...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.9
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	aos-install
QA Contact:	Gaoyun Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-10-01 05:39 UTC by Swapnil Dalela
Modified:	2021-10-05 20:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-05 17:40:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Swapnil Dalela 2021-10-01 05:39:53 UTC

Version:

4.9.0-rc.4 and earlier

What happened?

In proxy config, 'trustedCA' is not set when addtitional trust bundles are provided and proxy settings are not configured during installation. This causes issues when cluster is using a transparent proxy which requires additional trust bundles to send requests outside the cluster.

The installation completes successfully and user-ca-bundle is created but the proxy object is never updated.

What did you expect to happen?

trustedCA parameter in proxy should be updated even if no proxy settings are applied.

How to reproduce it (as minimally and precisely as possible)?

In install-config.yaml just provide additionalTrustBundle without any proxy settings.

Anything else we need to know?

Opened bug in accordance to the conversation in slack.

Comment 2 W. Trevor King 2021-10-01 23:06:58 UTC

(In reply to Swapnil Dalela from comment #0)
> trustedCA parameter in proxy should be updated even if no proxy settings are
> applied.
> 
> How to reproduce it (as minimally and precisely as possible)?
> 
> In install-config.yaml just provide additionalTrustBundle without any proxy
> settings.

I don't think this is quite right, see bug 1771564 and bug 2006013 asking folks to set something in the install-config proxy if they want additionalTrustBundle linked up to the Proxy's trustedCA.  The network operator is consuming trustedCA even when none of the other Proxy settings are set [1].  And the whole additionalTrustBundle vs. proxy thing has a long, sticky history [2,3,4,5].  One possible out for transparent proxies would be to set .proxy.noProxy (e.g. to '*', which is valid [6]), but not http(s)Proxy, in their install-config.  But to have that work, we'd need to drop the old installer validation in [7].

[1]: https://github.com/openshift/cluster-network-operator/blob/8586629d5a6eeb0961b6162718fee5fc5acb55bb/pkg/controller/proxyconfig/controller.go#L145-L148
[2]: https://github.com/openshift/installer/pull/2658#issuecomment-554517800
[3]: https://github.com/openshift/enhancements/pull/115#issuecomment-580966164
[4]: https://github.com/openshift/installer/pull/4082#issuecomment-678406894
[5]: https://github.com/openshift/installer/pull/5251#issuecomment-932622321
[6]: https://github.com/openshift/cluster-network-operator/blob/8586629d5a6eeb0961b6162718fee5fc5acb55bb/pkg/controller/proxyconfig/validation.go#L64
[7]: https://github.com/openshift/installer/blob/40373d2fbebcb79117b7fcf1bd92d6252630fdbe/pkg/types/validation/installconfig.go#L492-L494

Comment 4 Matthew Staebler 2021-10-05 17:40:16 UTC

This is working as it is intended to work. If you would like to discuss alternative approaches to additional trust bundle, then this should be an RFE instead of a BZ.

Comment 5 W. Trevor King 2021-10-05 20:31:34 UTC

Moved to https://issues.redhat.com/browse/RFE-2181

Note You need to log in before you can comment on or make changes to this bug.