Hide Forgot
escription Openshift Installer supports HTTP Proxy configuration in a restricted environment. However, when the bootstrap node grabs ignition assets. The proxy configuration does not pass to the ignition configuration. https://github.com/openshift/installer/blob/55b897f28634ece17e1a761dd3cff79b1ad903aa/pkg/asset/ignition/bootstrap/bootstrap_ignition.go#L38. Impacts{} No consistent proxy experience for users especially in the public cloud. E.g. users have to set up a VPC S3 endpoint to get S3 ignition asset access because of this. https://docs.openshift.com/dedicated/networking/configuring-cluster-wide-proxy.html Proposed Resolution Installer config should pass the http proxy to ignition configuration. Platform: #Please specify the platform type: aws Looks like the installer goes to S3 to fetch ignition configs in a proxy environment and does not use the proxy. I mean that seems very basic to me and broken functionality. I mean I don't know how a basic test would pass. Given An AWS Openshift Install When I Configured HTTP Proxy for Openshift installer Then bootstrap Ignition should grab assets in S3 through the configured HTTP proxy And Not expect direct internet access to the assets. I googled a little bit. Example: Similar issues were reported, and fixed for openstack specifically https://bugzilla.redhat.com/show_bug.cgi?id=1945236 https://github.com/openshift/installer/pull/4804
Installer Team: The CFE team will be working on this bugzilla - we have CFEPLAN-90 tracking progress.
Setting this as blocker - as there are clear workarounds.
@padillon what are the workarounds? where are they documented?
Can we get an update on this bug - is this being planned
Andrew - we are currently working on this bug the PR is ready and we are working on the e2e tests.
> @padillon what are the workarounds? where are they documented? There are two workarounds: 1. User edits bootstrap ignition config to add proxy 2. User configures vpc as described in docs: https://docs.openshift.com/container-platform/4.10/installing/installing_aws/installing-aws-network-customizations.html#installation-configure-proxy_installing-aws-network-customizations > Can we get an update on this bug - is this being planned There is a PR open but it was not correctly linked. That should be corrected now but here is the link: https://github.com/openshift/installer/pull/5973
verified. PASS. OCP version: 4.12.0-0.nightly-2022-07-11-054352 Test scenarios: https://github.com/openshift/installer/pull/5973#issuecomment-1178510229 Note for UPI installation: When you provide ignition file to bootstrap instance, s3-uri format (e.g. s3://yunjiang-11p2d-07111019/bootstrap_07111019.ign) does not works with ignition proxy feature [1]. You can use s3-presign format. [1] https://coreos.github.io/ignition/configuration-v3_1
After speaking with Patrick, confirmed that this issue does not require doc text (bug fix) in the 4.12 release notes. The 4.11 doc for AWS was updated to accurately reflect the options user now have when deploying to a restricted environment, which includes using a proxy without VPC endpoints. [1] https://docs.openshift.com/container-platform/4.11/installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.html#installation-custom-aws-vpc-requirements_installing-restricted-networks-aws-installer-provisioned
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399