Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.14
Component/s: apiserver-auth
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
Auth - Sprint 240, Auth - Sprint 241, Auth - Sprint 242
sprint_count:
3

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:
In reality, in some users' clusters with cluster-wide proxy (see Addition info), from within the cluster the oauth route may be accessible without proxy as well as with proxy, and users may happen to not set the oauth route in noProxy. In such situation, it is better that the proxy config check should not access the oauth route via proxy at all, so that it will be perfectly no obtrusive at all, better than the "less obtrusive" expected in AUTH-363 .
Version-Release number of selected component (if applicable):

4.14.0-0.nightly-2023-07-31-181848

How reproducible:

Always

Steps to Reproduce:

https://github.com/openshift/cluster-authentication-operator/pull/608/files currently checks `if !noProxyMatchesEndpoint && withProxy() != nil`.

Actual results:

Expected results:
Expected improvement for https://github.com/openshift/cluster-authentication-operator/pull/608/files is: if noProxy does not match, it is better to check withoutProxy() first instead of withProxy(), because in some users' clusters with cluster-wide proxy, because in some users' clusters with cluster-wide proxy, from within the cluster the oauth route may be accessible without proxy as well as with proxy, and users may happen to not set the oauth route in noProxy.

Additional info:

Here is an actual cluster from within where the oauth route is accessible without proxy as well as with proxy, and users happen to not set the oauth route in noProxy:

1. Successfully launch a 4.14 cluster of QE profile upi-on-baremetal/versioned-installer-openstack-https_proxy using Installer QE's Jenkins installer job.
2. Check the proxy. The Installer QE's Jenkins installer job sets the proxy as below. It uses trustedCA:

$ oc get proxy cluster -o yaml
spec:
  httpProxy: http://<user>:<password>@10.0.152.122:3128
  httpsProxy: https://<user>:<password>@10.0.152.122:3130
  noProxy: test.no-proxy.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://<user>:<password>@10.0.152.122:3128
  httpsProxy: https://<user>:<password>@10.0.152.122:3130
  noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.<cluster-name>.qe.devcluster.openshift.com,localhost,test.no-proxy.com

3. Check oauth route:

$ oc get route -n openshift-authentication
NAME              HOST/PORT                                                         PATH   SERVICES          PORT   TERMINATION            WILDCARD
oauth-openshift   oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com          oauth-openshift   6443   passthrough/Redirect   None
$ oc rsh -n openshift-authentication-operator authentication-operator-55dcfd854-rmpqm
sh-4.4# nslookup oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com
...
Non-authoritative answer:
Name:   oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com
Address: 10.0.176.195

4. Enter into the authentication-operator, check whether connections to the oauth route with proxy and without proxy succeed:
First check the "with proxy" situation, it succeeds:

$ oc rsh -n openshift-authentication-operator authentication-operator-55dcfd854-rmpqm
sh-4.4# env | grep -i proxy
HTTP_PROXY=http://<user>:<password>@10.0.152.122:3128
NO_PROXY=.cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.<cluster-name>.qe.devcluster.openshift.com,localhost,test.no-proxy.com
HTTPS_PROXY=https://<user>:<password>@10.0.152.122:3130
sh-4.4# curl -kv https://oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com/healthz
* Uses proxy env variable NO_PROXY == '.cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.<cluster-name>.qe.devcluster.openshift.com,localhost,test.no-proxy.com'
* Uses proxy env variable HTTPS_PROXY == 'https://<user>:<password>@10.0.152.122:3130'
*   Trying 10.0.152.122...
...
* Connected to 10.0.152.122 (10.0.152.122) port 3130 (#0)
...
* Proxy certificate:
*  subject: C=CN; ST=Beijing; L=Beijing; O=OCP; OU=Installer-QE; CN=10.0.152.122
...
* Establish HTTP proxy tunnel to oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com:443
...
> CONNECT oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com:443 HTTP/1.1
...
> Proxy-Connection: Keep-Alive
...
* Proxy replied 200 to CONNECT request
...
* Connection #0 to host 10.0.152.122 left intact
ok

Second check the "without proxy" situation, it also succeeds:

sh-4.4# unset HTTP_PROXY NO_PROXY HTTPS_PROXY
sh-4.4# curl -kv https://oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com/healthz
*   Trying 10.0.176.195...
* TCP_NODELAY set
* Connected to oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com (10.0.176.195) port 443 (#0)
...
* Connection #0 to host oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com left intact
ok

Assignee:: Ilias Rinis

Reporter:: Xingxing Xia

Need Info From:: Stanislav Láznička (Inactive)

Contributors:: None

QA Contact:: Xingxing Xia

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2023/08/01 9:05 AM

Updated:: 2025/07/25 11:41 PM

Resolved:: 2023/09/18 11:57 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates