We're currently using Multicluster Engine Operator 2.6.4 to deploy hosted control plane clusters. When attempting to configure authentication we noticed timeouts when attempting to use our Azure AD external authentication. It was discovered there's an option for the Konnectivity proxy pod attached to OAuth which bypasses proxy settings when attempting to connect to cloud sources such as Azure AD. The runtime option is --connect-directly-to-cloud-apis. The help for the konnectivity binary mentions this. If true, bypass konnectivity to connect to cloud APIs while still honoring management proxy config. We were able to successfully test running an additional proxy port on 8095 without this setting and everything default and were able to connect successfully. 

/usr/bin/control-plane-operator konnectivity-https-proxy --serving-port=8095 --http-proxy http://xxxx --https-proxy http://xxxx --no-proxy xxxx

Using the same pod we're able to curl successfully to the Azure AD Login

2025/02/06 19:46:39 [001] INFO: Accepting CONNECT to login.microsoftonline.com:443

A screenshot is provided for the successful connection from OAuth pod. 

We need to validate if this option is critical for the platform to function or can it be removed, so we can test if our authentication will work?

    MCE 2.6.4

    Always

    1. Deploy HCP cluster via MCE
    2. Have a cluster wide proxy configured
    3.
    

    timeouts

    no timeout

    removing the option --connect-directly-to-cloud-apis doesn't timeout

Main question is around leveraging oidc auth for the hosted cluster while using a proxy