Proxy configuration documentation specifies that we can insert under `noProxy` the values of domain addresses, IP addresses and network CIDRs. 


~~~
A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.Preface a domain with . to match subdomains only. For example, .y.com matches x.y.com, but not y.com. Use * to bypass proxy for all destinations. If you scale up workers that are not included in the network defined by the networking.machineNetwork[].cidr field from the installation configuration, you must add them to this list to prevent connection issues.This field is ignored if neither the httpProxy or httpsProxy fields are set.
~~~   

NoProxy rules in reality aren't specified here to clarify that we need to explicitly create/add entries for: .apps.<cluster>.<domain> and api.<cluster>.domain. The reason for this, is that noproxy does not wait for DNS resolution to return an IP address on lookup. In reality, the IP addresses listed or Cidrs listed are ONLY referenced by noproxy if the the client is calling those IP address directly. (meaning, we won't wait for DNS to respond with the IP of *.apps, it will just assume that the address should be proxied and route it accordingly).

Read more here:
https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/
The same holds true for CIDR blocks, such as 18.240.0.1/24. CIDR blocks only work when the request is directly made to an IP address. Only Go and Ruby allow CIDR blocks. Unlike other implementations, Go even automatically disables the use of a proxy if it detects a loopback IP addresses.


As a result, we should add to our docs pages that explicit entries for .apps.<cluster>.<domain> and api.<cluster>.<domain> should be specified to ensure that we can route appropriately. Including the IP address of the loadbalancer for these addresses or CIDR block is not sufficient, as we will not wait for resolution before declaring these addresses as unroutable (assuming proxy blocks internal call forwarding).

See more in case: 03961596

    4.14+ (current supported versions of openshift and ongoing)

    always

    1. Docs bug update - data is missing, but the context here is that if you add an IP Cidr entry for the address that encapsulates *.apps.<cluster>.<domain> only, it is not sufficient and openshift-ingress-operator (and others) will fail to connect to the the LB or router pods/VIP hosting on openshift because it will never wait for DNS to return the IP before assigning the route connection rule that the request must go out through the proxy. 
    2. Calls fail/ cluster degraded.
    3.
    

Feel free to reach out for more data/specifics on Docs update but the overview is that we need to be explicit on what entries are accepted in noproxy on docs.