-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.14
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
No
-
None
-
None
-
Rejected
-
Auth - Sprint 240, Auth - Sprint 241, Auth - Sprint 242, Auth - Sprint 243
-
4
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
For http_proxy instead of https_proxy cluster, it needs not trigger proxy config check when configmaps change.
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-07-31-181848
How reproducible:
Always
Steps to Reproduce:
1. Successfully launch a 4.14 http_proxy cluster using Installer QE's Jenkins installer job with installer template ipi-on-aws/versioned-installer-customer_vpc-http_proxy-ci. The proxy is shown as below: $ oc get proxy cluster -o yaml ... spec: httpProxy: http://<user>:<password>@ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com:3128 httpsProxy: http://<user>:<password>@ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com:3128 noProxy: test.no-proxy.com trustedCA: name: "" status: httpProxy: http://<user>:<password>@ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com:3128 httpsProxy: http://<user>:<password>@ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com:3128 noProxy: .cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.<cluster-name>.qe.devcluster.openshift.com,localhost 2. Manually oc edit proxy cluster to add the oauth route to noProxy: ... spec: ... noProxy: test.no-proxy.com,oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com ... 3. Wait 15 mins for cluster components to roll out. 4. In a terminal A, watch proxy server's logs: # tail -f /var/log/squid/access.log | grep 'CONNECT oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com' In another terminal B, run: $ date; oc label cm/trusted-ca-bundle -n openshift-authentication-operator test6=abcd Tue Aug 1 09:50:41 UTC 2023 configmap/trusted-ca-bundle labeled $ date; oc label cm/default-ingress-cert -n openshift-config-managed test7=abcd Tue Aug 1 09:51:07 UTC 2023 configmap/default-ingress-cert labeled
Actual results:
In step 4 terminal A, the `tail -f` command shows: # tail -f /srv/squid/log/access.log | grep 'CONNECT oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com' 1690883448.918 6 10.0.52.212 TCP_TUNNEL/200 3379 CONNECT oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com:443 <proxy user> HIER_DIRECT/18.219.206.4 - 1690883473.147 10 10.0.52.212 TCP_TUNNEL/200 3379 CONNECT oauth-openshift.apps.<cluster-name>.qe.devcluster.openshift.com:443 <proxy user> HIER_DIRECT/18.219.206.4 - Convert the timestamps: # date --date=@1690883448.918 Tue Aug 1 09:50:48 UTC 2023 # date --date=@1690883473.147 Tue Aug 1 09:51:13 UTC 2023 They are immediately after the timestamps of terminal B. That is, terminal B's configmaps changes trigger the proxy config check.
Expected results:
However, the proxy `httpsProxy: http://<user>:<password>@ec2-xx-xx-xx-xx.us-east-2.compute.amazonaws.com:3128` is http instead of https, and the proxy's trustedCA name is blank. For such http proxy instead of https proxy, certificates are not cared about. So, the proxy config check should ingore the related certificate CAs configmaps' change to be less obtrusive.
Additional info: