-
Bug
-
Resolution: Done-Errata
-
Major
-
4.16.0, 4.17.0
This is a clone of issue OCPBUGS-35197. The following is the description of the original issue:
—
Description of problem:
The issue is found when QE testing the minimal Firewall list required by an AWS installation (https://docs.openshift.com/container-platform/4.15/installing/install_config/configuring-firewall.html) for 4.16. The way we're verifying this is by setting all the URLs listed in the doc into the whitelist of a proxy server[1], adding the proxy to install-config.yaml, so addresses outside of the doc will be rejected by the proxy server during cluster installation. [1]https://steps.ci.openshift.org/chain/proxy-whitelist-aws We're seeing such error from Masters' console ``` [ 344.982244] ignition[782]: GET https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master: attempt #73 [ 344.985074] ignition[782]: GET error: Get "https://api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623/config/master": Forbidden ``` And the deny log from proxy server ``` 1717653185.468 0 10.0.85.91 TCP_DENIED/403 2252 CONNECT api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com:22623 - HIER_NONE/- text/html ``` So looks Master is using proxy to visit the MCS address, and the Internal API domain - api-int.ci-op-b2hcg02h-ce587.qe.devcluster.openshift.com is not in the whitelist of proxy, so the request is denied by proxy. But actually such Internal API address should be already in the NoProxy list, so master shouldn't use proxy to send the internal request. This is a proxy info collected from another cluster, the api-int.<cluter_domain> is added in the no proxy list by default. ``` [root@ip-10-0-11-89 ~]# cat /etc/profile.d/proxy.sh export HTTP_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128" export HTTPS_PROXY="http://ec2-3-16-83-95.us-east-2.compute.amazonaws.com:3128" export NO_PROXY=".cluster.local,.svc,.us-east-2.compute.internal,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.gpei-dis3.qe.devcluster.openshift.com,localhost,test.no-proxy.com" ```
Version-Release number of selected component (if applicable):
registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-06-02-202327
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
- clones
-
OCPBUGS-35197 [capi aws]Master is fetching ignition from the bootstrap MCS through proxy incorrectly
- Closed
- is blocked by
-
OCPBUGS-35197 [capi aws]Master is fetching ignition from the bootstrap MCS through proxy incorrectly
- Closed
- links to
-
RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update