Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35197

[capi aws]Master is fetching ignition from the bootstrap MCS through proxy incorrectly

XMLWordPrintable

    • Important
    • No
    • Approved
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • Done

      Description of problem:

      The issue is found when QE testing the minimal Firewall list required by an AWS installation
      (https://docs.openshift.com/container-platform/4.15/installing/install_config/configuring-firewall.html) for 4.16. The way we're verifying this is by setting all the URLs listed in the doc into the whitelist of a proxy server[1], adding the proxy to install-config.yaml, so addresses outside of the doc will be rejected by the proxy server during cluster installation. 
      [1]https://steps.ci.openshift.org/chain/proxy-whitelist-aws
      
      We're seeing such error from Masters' console
      ``` 
      [  344.982244] ignition[782]: GET https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master: attempt #73
      [  344.985074] ignition[782]: GET error: Get "https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master": Forbidden
      ```
      
      And the deny log from proxy server 
      ```
      1717653185.468   0 10.0.85.91 TCP_DENIED/403 2252 CONNECT api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623 - HIER_NONE/- text/html
      
      ```
      So looks Master is using proxy to visit the MCS address, and the Internal API domain - api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com  is not in the whitelist of proxy, so the request is denied by proxy. But actually such Internal API address should be already in the NoProxy list, so master shouldn't use proxy to send the internal request. 
      
      This is a proxy info collected from another cluster, the api-int.<cluter_domain> is added in the no proxy list by default. 
      ```
      [root@ip-10-0-11-89 ~]# cat /etc/profile.d/proxy.sh 
      export HTTP_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128"
      export HTTPS_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128"
      export NO_PROXY=".cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-dis3.qe.devcluster.openshift.com,localhost,test.no-proxy.com" 
      ```
      
      
      

      Version-Release number of selected component (if applicable):

      registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-06-02-202327
      
      

      How reproducible:

      
      

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      
      

      Expected results:

      
      

      Additional info:

      
      

            rdossant Rafael Fonseca dos Santos
            rh-ee-gpei Gaoyun Pei
            Gaoyun Pei Gaoyun Pei
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: