Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-12699

Proxy settings in buildDefaults preserved in image

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • None
    • 4.11, 4.17
    • Build
    • None
    • Low
    • No
    • 3
    • Pipeline Integrations #240, Pipeline Integrations #241, Pipeline Integrations #242, Pipeline Integrations #243, Pipeline Integrations #3248, Pipeline Integrations #3249, Pipeline Integrations #3250, Builds Sprint #4, Builds Sprint #5
    • 9
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, if the developer or cluster admin used lowercase environment variable names for proxy information, these environment variables were carried into the build output container image. At runtime, the proxy settings were active and had to be unset. With this release, lowercase versions of the `*_PROXY` environment variables are prevented from leaking into built container images. Now, `buildDefaults` are only kept during the build and settings created for the build process only are removed before pushing the image in the registry. (link:https://issues.redhat.com/browse/OCPBUGS-12699[*OCPBUGS-12699*])
      Show
      * Previously, if the developer or cluster admin used lowercase environment variable names for proxy information, these environment variables were carried into the build output container image. At runtime, the proxy settings were active and had to be unset. With this release, lowercase versions of the `*_PROXY` environment variables are prevented from leaking into built container images. Now, `buildDefaults` are only kept during the build and settings created for the build process only are removed before pushing the image in the registry. (link: https://issues.redhat.com/browse/OCPBUGS-12699 [* OCPBUGS-12699 *])
    • Bug Fix
    • Done

      Description of problem:

      Proxy settings in buildDefaults preserved in image

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      I have a customer, so during builds their developers need proxy access.
      For this they have configured buildDefaults on thier cluster as described here:https://docs.openshift.com/container-platform/4.10/cicd/builds/build-configuration.html.
      The problem is that buildDefaults.defaultProxy sets the proxy environment variables in uppercase.
      Several RedHat S2I images use tools that depend on curl. curl only supports lower-case proxy environment variables. As such the defaultProxy settings are not taken into account.To workaround this "behavior defect", they have configured:
      - buildDefaults.env.http_proxy
      - buildDefaults.env.https_proxy
      - buildDefaults.env.no_proxy
      But the side effect is that the lowercase environment variables are preserved in the container image. So at runtime, the proxy settings are still active and they constantly have to support developers to unset them again (when using non-fqdn for example). This is causing frustration for them and thier developers.
      1. Why can't the buildDefaults.defaultProxy not be set in lower and uppercase proxy settings?2. Why are the buildDefaults.env preserved in the container image while buildDefaults.defaultProxy is correctly unset/removed from the container image. As the name implies, for us "buildDefaults" should only be kept during the build and settings should correctly be removed before pushing the image in the registry.Also have shared them the below KCS:
      https://access.redhat.com/solutions/1575513.
      But cu was not satisfied with that , and they responded with the following:
      The article does not provide a solution to the problem. It describes the same and gives a dirty workaround a developers will have to apply it on each individual buildconfig. This is not wanted.
      The fact that we set these envs using buildDefaults, is the same workaround. But still the core problem remains: the envs are preserved in the container image when using this workaround.
      This needs to be addressed by engineering so this is fixed properly. 

      Actual results:

       

      Expected results:

       

      Additional info:

       

              rh-ee-apjagtap Apoorva Jagtap
              rh-ee-sabiswas Sayan Biswas
              Sayan Biswas Sayan Biswas
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: