Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38062

[release-4.16] LDAP communication going through HTTP(S) proxy

XMLWordPrintable

    • None
    • Hypershift Sprint 257, Hypershift Sprint 258, Hypershift Sprint 259
    • 3
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: Proxying for operators that run in the control plane of a hypershift cluster is done via proxy settings on the konnectivity agent pod that runs in the data plane.
      *Consequence*: Because proxying occurs via the konnectivity agent, it is not possible to distinguish whether proxying is needed based on application protocol. For parity with OCP, idp communication via https/http should be proxied, but ldap communication should not be proxied. This type of proxying also ignores NO_PROXY entries that rely on host names, since by the time traffic reaches the konnectivity agent, only the destination IP is available.
      *Fix*: Change how proxy is handled in hosted clusters to invoke the proxy in the control plane via konnectivity-https-proxy and konnectivity-socks5-proxy, and stop proxying traffic from the konnectivity agent.
      *Result*: Traffic destined for ldap servers is no longer proxied. Other http/https traffic is proxied correctly. NO_PROXY setting is honored when hostnames are specified.
      Show
      *Cause*: Proxying for operators that run in the control plane of a hypershift cluster is done via proxy settings on the konnectivity agent pod that runs in the data plane. *Consequence*: Because proxying occurs via the konnectivity agent, it is not possible to distinguish whether proxying is needed based on application protocol. For parity with OCP, idp communication via https/http should be proxied, but ldap communication should not be proxied. This type of proxying also ignores NO_PROXY entries that rely on host names, since by the time traffic reaches the konnectivity agent, only the destination IP is available. *Fix*: Change how proxy is handled in hosted clusters to invoke the proxy in the control plane via konnectivity-https-proxy and konnectivity-socks5-proxy, and stop proxying traffic from the konnectivity agent. *Result*: Traffic destined for ldap servers is no longer proxied. Other http/https traffic is proxied correctly. NO_PROXY setting is honored when hostnames are specified.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-37052. The following is the description of the original issue:

      Description of problem:

      This is a followup of https://issues.redhat.com/browse/OCPBUGS-34996, in which comments led us to better understand the issue customers are facing.
      
      LDAP IDP traffic from the oauth pod seems to be going through the configured HTTP(S) proxy, while it should not due to it being a different protocol. This results in customers adding the ldap endpoint to their no-proxy config to circumvent the issue. 

      Version-Release number of selected component (if applicable):

      4.15.11     

      How reproducible:

          

      Steps to Reproduce:

       (From the customer)   
          1. Configure LDAP IDP
          2. Configure Proxy
          3. LDAP IDP communication from the control plane oauth pod goes through proxy instead of going to the ldap endpoint directly
          

      Actual results:

          LDAP IDP communication from the control plane oauth pod goes through proxy 

      Expected results:

          LDAP IDP communication from the control plane oauth pod should go to the ldap endpoint directly using the ldap protocol, it should not go through the proxy settings

      Additional info:

      For more information, see linked tickets.    

              cewong@redhat.com Cesar Wong
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: