Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38637

[release-4.17] LDAP communication going through HTTP(S) proxy

XMLWordPrintable

    • Moderate
    • None
    • Hypershift Sprint 258, Hypershift Sprint 259
    • 2
    • Approved
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Konnectivity proxy agent in a hosted cluster always sent all TCP traffic through an HTTP/S proxy. It also ignored host names in the `NO_PROXY` configuration because it only received resolved IP addresses in its traffic. As a consequence, traffic that was not meant to be proxied, such as LDAP traffic, was proxied regardless of configuration. With this release, proxying is completed at the source (control plane) and the Konnectivity agent proxying configuration is removed. As a result, traffic that is not meant to be proxied, such as LDAP traffic, is not proxied anymore. The `NO_PROXY` configuration that includes host names is honored. (link:https://issues.redhat.com/browse/OCPBUGS-38637[*OCPBUGS-38637*])
      Show
      * Previously, the Konnectivity proxy agent in a hosted cluster always sent all TCP traffic through an HTTP/S proxy. It also ignored host names in the `NO_PROXY` configuration because it only received resolved IP addresses in its traffic. As a consequence, traffic that was not meant to be proxied, such as LDAP traffic, was proxied regardless of configuration. With this release, proxying is completed at the source (control plane) and the Konnectivity agent proxying configuration is removed. As a result, traffic that is not meant to be proxied, such as LDAP traffic, is not proxied anymore. The `NO_PROXY` configuration that includes host names is honored. (link: https://issues.redhat.com/browse/OCPBUGS-38637 [* OCPBUGS-38637 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-37052. The following is the description of the original issue:

      Description of problem:

      This is a followup of https://issues.redhat.com/browse/OCPBUGS-34996, in which comments led us to better understand the issue customers are facing.

LDAP IDP traffic from the oauth pod seems to be going through the configured HTTP(S) proxy, while it should not due to it being a different protocol. This results in customers adding the ldap endpoint to their no-proxy config to circumvent the issue.

      Version-Release number of selected component (if applicable):

      4.15.11

      How reproducible:

      Steps to Reproduce:

       (From the customer)   
    1. Configure LDAP IDP
    2. Configure Proxy
    3. LDAP IDP communication from the control plane oauth pod goes through proxy instead of going to the ldap endpoint directly

      Actual results:

          LDAP IDP communication from the control plane oauth pod goes through proxy

      Expected results:

          LDAP IDP communication from the control plane oauth pod should go to the ldap endpoint directly using the ldap protocol, it should not go through the proxy settings

      Additional info:

      For more information, see linked tickets.

            cewong@redhat.com Cesar Wong
            openshift-crt-jira-prow OpenShift Prow Bot
            Jie Zhao Jie Zhao
            Laura Hinson Laura Hinson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: