Bug 2090836 - Bootstrap node should honor http proxy
Summary: Bootstrap node should honor http proxy
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.11
Hardware: All
OS: Unspecified
Target Milestone: ---
: 4.12.0
Assignee: Nobody
QA Contact: Yunfei Jiang
Depends On:
Blocks: 2104727
TreeView+ depends on / blocked
Reported: 2022-05-26 16:31 UTC by Heather Heffner
Modified: 2023-01-17 19:49 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2023-01-17 19:49:26 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5973 0 None open Bug 2090836: Fixes CFE-489 - AWS installer should go through proxy for s3 bootstrap ignition call 2022-07-06 08:38:10 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:49:41 UTC

Description Heather Heffner 2022-05-26 16:31:26 UTC

Openshift Installer supports HTTP Proxy configuration in a restricted environment. However, when the bootstrap node grabs ignition assets. The proxy configuration does not pass to the ignition configuration.  https://github.com/openshift/installer/blob/55b897f28634ece17e1a761dd3cff79b1ad903aa/pkg/asset/ignition/bootstrap/bootstrap_ignition.go#L38. 



No consistent proxy experience for users especially in the public cloud. E.g. users have to set up a VPC S3 endpoint to get S3 ignition asset access because of this. 


Proposed Resolution

Installer config should pass the http proxy to ignition configuration.

#Please specify the platform type: aws

Looks like the installer goes to S3 to fetch ignition configs in a proxy environment and does not use the proxy. I mean that seems very basic to me and broken functionality. I mean I don't know how a basic test would pass. 

Given An AWS Openshift Install
When I Configured HTTP Proxy for Openshift installer
Then bootstrap Ignition should grab assets in S3 through the configured HTTP proxy
And Not expect direct internet access to the assets.

I googled a little bit.

Example: Similar issues were reported, and fixed for openstack specifically


Comment 1 Heather Heffner 2022-05-26 16:38:10 UTC
Installer Team: The CFE team will be working on this bugzilla - we have CFEPLAN-90 tracking progress.

Comment 2 Patrick Dillon 2022-06-02 01:42:56 UTC
Setting this as blocker - as there are clear workarounds.

Comment 3 Tushar Katarki 2022-06-08 20:29:39 UTC
@padillon what are the workarounds? where are they documented?

Comment 4 Andrew Cathrow 2022-06-23 14:22:50 UTC
Can we get an update on this bug - is this being planned

Comment 5 Heather Heffner 2022-06-23 14:30:13 UTC
Andrew - we are currently working on this bug the PR is ready and we are working on the e2e tests.

Comment 6 Patrick Dillon 2022-06-24 00:59:26 UTC
> @padillon what are the workarounds? where are they documented?

There are two workarounds:

1. User edits bootstrap ignition config to add proxy

2. User configures vpc as described in docs: 

> Can we get an update on this bug - is this being planned

There is a PR open but it was not correctly linked. That should be corrected now but here is the link:

Comment 9 Yunfei Jiang 2022-07-12 05:43:30 UTC
verified. PASS.
OCP version: 4.12.0-0.nightly-2022-07-11-054352

Test scenarios: https://github.com/openshift/installer/pull/5973#issuecomment-1178510229

Note for UPI installation:
When you provide ignition file to bootstrap instance, s3-uri format (e.g. s3://yunjiang-11p2d-07111019/bootstrap_07111019.ign) does not works with ignition proxy feature [1]. You can use s3-presign format.

[1] https://coreos.github.io/ignition/configuration-v3_1

Comment 12 Mike Pytlak 2022-12-12 19:47:56 UTC
After speaking with Patrick, confirmed that this issue does not require doc text (bug fix) in the 4.12 release notes. The 4.11 doc for AWS was updated to accurately reflect the options user now have when deploying to a restricted environment, which includes using a proxy without VPC endpoints.

[1] https://docs.openshift.com/container-platform/4.11/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.html#installation-custom-aws-vpc-requirements_installing-restricted-networks-aws-installer-provisioned

Comment 14 errata-xmlrpc 2023-01-17 19:49:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.