Openshift Installer supports HTTP Proxy configuration in a restricted environment. However, when the bootstrap node grabs ignition assets. The proxy configuration does not pass to the ignition configuration. https://github.com/openshift/installer/blob/55b897f28634ece17e1a761dd3cff79b1ad903aa/pkg/asset/ignition/bootstrap/bootstrap_ignition.go#L38.
No consistent proxy experience for users especially in the public cloud. E.g. users have to set up a VPC S3 endpoint to get S3 ignition asset access because of this.
Installer config should pass the http proxy to ignition configuration.
#Please specify the platform type: aws
Looks like the installer goes to S3 to fetch ignition configs in a proxy environment and does not use the proxy. I mean that seems very basic to me and broken functionality. I mean I don't know how a basic test would pass.
Given An AWS Openshift Install
When I Configured HTTP Proxy for Openshift installer
Then bootstrap Ignition should grab assets in S3 through the configured HTTP proxy
And Not expect direct internet access to the assets.
I googled a little bit.
Example: Similar issues were reported, and fixed for openstack specifically
Installer Team: The CFE team will be working on this bugzilla - we have CFEPLAN-90 tracking progress.
Setting this as blocker - as there are clear workarounds.
@padillon what are the workarounds? where are they documented?
Can we get an update on this bug - is this being planned
Andrew - we are currently working on this bug the PR is ready and we are working on the e2e tests.
> @padillon what are the workarounds? where are they documented?
There are two workarounds:
1. User edits bootstrap ignition config to add proxy
2. User configures vpc as described in docs:
> Can we get an update on this bug - is this being planned
There is a PR open but it was not correctly linked. That should be corrected now but here is the link:
OCP version: 4.12.0-0.nightly-2022-07-11-054352
Test scenarios: https://github.com/openshift/installer/pull/5973#issuecomment-1178510229
Note for UPI installation:
When you provide ignition file to bootstrap instance, s3-uri format (e.g. s3://yunjiang-11p2d-07111019/bootstrap_07111019.ign) does not works with ignition proxy feature . You can use s3-presign format.
After speaking with Patrick, confirmed that this issue does not require doc text (bug fix) in the 4.12 release notes. The 4.11 doc for AWS was updated to accurately reflect the options user now have when deploying to a restricted environment, which includes using a proxy without VPC endpoints.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.