Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-36932

Hosted control planes: IDP communication through Konnectivity does not respect outgoing HTTP/s PROXY in DataPlane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 4.14.z, 4.15.z, 4.17, 4.16.z
    • HyperShift
    • Critical
    • No
    • Hypershift Sprint 258, Hypershift Sprint 259
    • 2
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname was no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (http/s) and protocols that do not (ldap://). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec. With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with identity providers when a proxy is configured for the hosted cluster. (link:https://issues.redhat.com/browse/OCPBUGS-36932[*OCPBUGS-36932*])
      Show
      * Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname was no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (http/s) and protocols that do not (ldap://). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec. With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with identity providers when a proxy is configured for the hosted cluster. (link: https://issues.redhat.com/browse/OCPBUGS-36932 [* OCPBUGS-36932 *])
    • Bug Fix
    • Done

      Description of problem:

      Customer defines proxy in its HostedCluster resource definition. The variables are propagated to some pods but not to oauth one:

       oc describe pod kube-apiserver-5f5dbf78dc-8gfgs | grep PROX
            HTTP_PROXY:   http://ocpproxy.corp.example.com:8080
            HTTPS_PROXY:  http://ocpproxy.corp.example.com:8080
            NO_PROXY:     .....
      oc describe pod oauth-openshift-6d7b7c79f8-2cf99| grep PROX
            HTTP_PROXY:   socks5://127.0.0.1:8090
            HTTPS_PROXY:  socks5://127.0.0.1:8090
            ALL_PROXY:    socks5://127.0.0.1:8090
            NO_PROXY:     kube-apiserver

       

      apiVersion: hypershift.openshift.io/v1beta1
      kind: HostedCluster

      ...

      spec:
        autoscaling: {}
        clusterID: 9c8db607-b291-4a72-acc7-435ec23a72ea
        configuration:

         .....
          proxy:
            httpProxy: http://ocpproxy.corp.example.com:8080
            httpsProxy: http://ocpproxy.corp.example.com:8080

       

      Version-Release number of selected component (if applicable): 4.14
       

            cewong@redhat.com Cesar Wong
            cewong@redhat.com Cesar Wong
            Jie Zhao Jie Zhao
            Laura Hinson Laura Hinson
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: