Bug 2046133 - [MAPO]IPI proxy installation failed
Summary: [MAPO]IPI proxy installation failed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Compute
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.11.0
Assignee: Pierre Prinetti
QA Contact: rlobillo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-26 10:09 UTC by rlobillo
Modified: 2022-08-10 10:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: machine-api-provider-openstack did not honour the proxy environment variable directives Consequence: Installation behind an HTTP or HTTPS proxy would fail Fix: The HTTP transport logic of machine-api-provider-openstack now obeys proxy directives Result: machine-api-provider-openstack now works in a restricted environment where egress traffic is only allowed through a proxy.
Clone Of:
Environment:
Last Closed: 2022-08-10 10:43:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
must-gather (9.13 MB, application/gzip)
2022-01-26 10:09 UTC, rlobillo
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-api-provider-openstack pull 27 0 None open Bug 2046133: Set proxy settings on the provider client 2022-03-16 21:21:50 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:44:05 UTC

Description rlobillo 2022-01-26 10:09:07 UTC
Created attachment 1855484 [details]
must-gather

Description of problem:

IPI installation behind a proxy is failing. The same is working with legacy CAPO.

machine-controller container is not able to reach OSP API, presumably because it is not using the proxy:

E0126 09:23:04.150076       1 controller.go:317] controller/machine_controller "msg"="Reconciler error" "error"="Failed to authenticate provider client: Get \"https://10.46.44.10:13000/\": dial tcp 10.46.44.10:13000: connect: no route to host" "name"="ostest-lsz7t-master-2" "namespace"="openshift-machine-api"         

However, the proxy env values are set on the container:

$ oc rsh -n openshift-machine-api -c machine-controller machine-api-controllers-5cc999bcff-p9sb8
sh-4.4$ env | grep -i proxy
HTTP_PROXY=http://dummy:dummy@172.16.0.3:3128/
NO_PROXY=.cluster.local,.svc,10.128.0.0/14,127.0.0.1,169.254.169.254,172.16.0.0/24,172.30.0.0/16,api-int.ostest.shiftstack.com,localhost
HTTPS_PROXY=https://dummy:dummy@172.16.0.3:3130/
sh-4.4$ curl -k https://10.46.44.10:13000/
{"versions": {"values": [{"id": "v3.13", "status": "stable", "updated": "2019-07-19T00:00:00Z", "links": [{"rel": "self", "href": "https://10.46.44.10:13000/v3/"}], "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]}}sh-4.4$ 

Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2022-01-25-023600 & RHOS-16.1-RHEL-8-20210903.n.0

How reproducible: Always

Steps to Reproduce:
Install OCP cluster enabling TP features on an isolated network that can only access outside through a proxy.

$ oc get featureGate/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    release.openshift.io/create-only: "true"
  creationTimestamp: "2022-01-26T08:40:47Z"
  generation: 1
  name: cluster
  resourceVersion: "959"
  uid: a9093152-16e9-4d3b-a4af-976f525e2f8c
spec:
  featureSet: TechPreviewNoUpgrade

$ oc get proxy/cluster -o yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2022-01-26T08:40:22Z"
  generation: 1
  name: cluster
  resourceVersion: "547"
  uid: 242cdf17-326c-4485-b32d-840df2e080e2
spec:
  httpProxy: http://dummy:dummy@172.16.0.3:3128/
  httpsProxy: https://dummy:dummy@172.16.0.3:3130/
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://dummy:dummy@172.16.0.3:3128/
  httpsProxy: https://dummy:dummy@172.16.0.3:3130/
  noProxy: .cluster.local,.svc,10.128.0.0/14,127.0.0.1,169.254.169.254,172.16.0.0/24,172.30.0.0/16,api-int.ostest.shiftstack.com,localhost


Actual results: Installation fails.
Expected results: Installation OK and cluster operative.


Additional info: must-gather and install-config.yaml attached

Comment 5 Pierre Prinetti 2022-01-28 10:58:47 UTC
Setting blocker- because MAPO is not GA in 4.10.

Comment 8 rlobillo 2022-03-28 10:44:01 UTC
Verified on 4.11.0-0.nightly-2022-03-23-132952 on top of RHOS-16.2-RHEL-8-20220311.n.1.

IPI proxy installation with the 3 NetworkTypes worked OK on D/S CI.

Comment 9 rlobillo 2022-03-28 10:45:37 UTC
with featureGate enabling MAPO:

      apiVersion: config.openshift.io/v1
      kind: FeatureGate
      metadata:
        annotations:
          include.release.openshift.io/self-managed-high-availability: "true"
          include.release.openshift.io/single-node-developer: "true"
          release.openshift.io/create-only: "true"
        name: cluster
      spec:
        customNoUpgrade:
          enabled:
          - MachineAPIProviderOpenStack
        featureSet: CustomNoUpgrade

Comment 11 errata-xmlrpc 2022-08-10 10:43:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069


Note You need to log in before you can comment on or make changes to this bug.