Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38060

[release-4.14] Hosted control planes: IDP communication through Konnectivity does not respect outgoing HTTP/s PROXY in DataPlane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.14.z
    • 4.14.z, 4.15.z, 4.17, 4.16.z
    • HyperShift
    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname were no longer available. Consequently, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (HTTP or HTTPS) and protocols that do not (LDAP). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec.
      +
      With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with identity providers when a proxy is configured for the hosted cluster. (link:https://issues.redhat.com/browse/OCPBUGS-38060[*OCPBUGS-38060*]
      Show
      * Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname were no longer available. Consequently, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (HTTP or HTTPS) and protocols that do not (LDAP). In addition, it did not honor the `no_proxy` variable that is configured in the `HostedCluster.spec.configuration.proxy` spec. + With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your `no_proxy` settings. As a result, the OAUTH server can communicate properly with identity providers when a proxy is configured for the hosted cluster. (link: https://issues.redhat.com/browse/OCPBUGS-38060 [* OCPBUGS-38060 *]
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-38059. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-36932. The following is the description of the original issue:

      Description of problem:

      Customer defines proxy in its HostedCluster resource definition. The variables are propagated to some pods but not to oauth one:

       oc describe pod kube-apiserver-5f5dbf78dc-8gfgs | grep PROX
            HTTP_PROXY:   http://ocpproxy.corp.example.com:8080
            HTTPS_PROXY:  http://ocpproxy.corp.example.com:8080
            NO_PROXY:     .....
      oc describe pod oauth-openshift-6d7b7c79f8-2cf99| grep PROX
            HTTP_PROXY:   socks5://127.0.0.1:8090
            HTTPS_PROXY:  socks5://127.0.0.1:8090
            ALL_PROXY:    socks5://127.0.0.1:8090
            NO_PROXY:     kube-apiserver

       

      apiVersion: hypershift.openshift.io/v1beta1
      kind: HostedCluster

      ...

      spec:
        autoscaling: {}
        clusterID: 9c8db607-b291-4a72-acc7-435ec23a72ea
        configuration:

         .....
          proxy:
            httpProxy: http://ocpproxy.corp.example.com:8080
            httpsProxy: http://ocpproxy.corp.example.com:8080

       

      Version-Release number of selected component (if applicable): 4.14
       

              cewong@redhat.com Cesar Wong
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: