Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38058

[release-4.16] Hosted control planes: IDP communication through Konnectivity does not respect outgoing HTTP/s PROXY in DataPlane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.16.z
    • 4.14.z, 4.15.z, 4.17, 4.16.z
    • HyperShift
    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, proxying for identity provider (IdP) communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname was no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (`http` or `https`) and protocols that do not (LDAP). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec. With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with IdPs when a proxy is configured for the hosted cluster. (link:https://issues.redhat.com/browse/OCPBUGS-38058[*OCPBUGS-38058*])
      Show
      * Previously, proxying for identity provider (IdP) communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname was no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (`http` or `https`) and protocols that do not (LDAP). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec. With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with IdPs when a proxy is configured for the hosted cluster. (link: https://issues.redhat.com/browse/OCPBUGS-38058 [* OCPBUGS-38058 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-36932. The following is the description of the original issue:

      Description of problem:

      Customer defines proxy in its HostedCluster resource definition. The variables are propagated to some pods but not to oauth one:

       oc describe pod kube-apiserver-5f5dbf78dc-8gfgs | grep PROX
            HTTP_PROXY:   http://ocpproxy.corp.example.com:8080
            HTTPS_PROXY:  http://ocpproxy.corp.example.com:8080
            NO_PROXY:     .....
      oc describe pod oauth-openshift-6d7b7c79f8-2cf99| grep PROX
            HTTP_PROXY:   socks5://127.0.0.1:8090
            HTTPS_PROXY:  socks5://127.0.0.1:8090
            ALL_PROXY:    socks5://127.0.0.1:8090
            NO_PROXY:     kube-apiserver

       

      apiVersion: hypershift.openshift.io/v1beta1
      kind: HostedCluster

      ...

      spec:
        autoscaling: {}
        clusterID: 9c8db607-b291-4a72-acc7-435ec23a72ea
        configuration:

         .....
          proxy:
            httpProxy: http://ocpproxy.corp.example.com:8080
            httpsProxy: http://ocpproxy.corp.example.com:8080

       

      Version-Release number of selected component (if applicable): 4.14
       

            cewong@redhat.com Cesar Wong
            openshift-crt-jira-prow OpenShift Prow Bot
            Jie Zhao Jie Zhao
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: