Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-36932

Hosted control planes: IDP communication through Konnectivity does not respect outgoing HTTP/s PROXY in DataPlane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.14.z, 4.15.z, 4.17, 4.16.z
    • HyperShift
    • Critical
    • No
    • Hypershift Sprint 258, Hypershift Sprint 259
    • 2
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: Proxying for IDP communication was happening in the konnectivity agent. By the time traffic reaches konnectivity, its protocol and hostname is no longer available.
      *Consequence*: Proxying is not done correctly for the oauth server pod. It should distinguish between protocols that require proxying (http/s) vs protocols that don't require proxying (ldap://). In addition, it should honor the no_proxy variable configured in the HostedCluster.spec.configuration.proxy.
      *Fix*: Configure proxy on the konnectivity sidecar of the oauth server so that traffic is routed appropriately, honoring any no_proxy setting that is configured.
      *Result*: Oauth server communicates properly with identity providers when a proxy is configured for the hosted cluster.
      Show
      *Cause*: Proxying for IDP communication was happening in the konnectivity agent. By the time traffic reaches konnectivity, its protocol and hostname is no longer available. *Consequence*: Proxying is not done correctly for the oauth server pod. It should distinguish between protocols that require proxying (http/s) vs protocols that don't require proxying (ldap://). In addition, it should honor the no_proxy variable configured in the HostedCluster.spec.configuration.proxy. *Fix*: Configure proxy on the konnectivity sidecar of the oauth server so that traffic is routed appropriately, honoring any no_proxy setting that is configured. *Result*: Oauth server communicates properly with identity providers when a proxy is configured for the hosted cluster.
    • Bug Fix
    • In Progress

      Description of problem:

      Customer defines proxy in its HostedCluster resource definition. The variables are propagated to some pods but not to oauth one:

       oc describe pod kube-apiserver-5f5dbf78dc-8gfgs | grep PROX
            HTTP_PROXY:   http://ocpproxy.corp.example.com:8080
            HTTPS_PROXY:  http://ocpproxy.corp.example.com:8080
            NO_PROXY:     .....
      oc describe pod oauth-openshift-6d7b7c79f8-2cf99| grep PROX
            HTTP_PROXY:   socks5://127.0.0.1:8090
            HTTPS_PROXY:  socks5://127.0.0.1:8090
            ALL_PROXY:    socks5://127.0.0.1:8090
            NO_PROXY:     kube-apiserver

       

      apiVersion: hypershift.openshift.io/v1beta1
      kind: HostedCluster

      ...

      spec:
        autoscaling: {}
        clusterID: 9c8db607-b291-4a72-acc7-435ec23a72ea
        configuration:

         .....
          proxy:
            httpProxy: http://ocpproxy.corp.example.com:8080
            httpsProxy: http://ocpproxy.corp.example.com:8080

       

      Version-Release number of selected component (if applicable): 4.14
       

            cewong@redhat.com Cesar Wong
            cewong@redhat.com Cesar Wong
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: