Description
The goal of this story is to add tests to our existing e2e proxy job to ensure that external requests from Windows nodes are
- properly routed through the cluster-wide proxy by default (HTTP_PROXY, HTTPS_PROXY)
- NOT routed through the cluster-wide proxy if the endpoint is specified in the NO_PROXY
Engineering Details
One way to do this is ensuring a WMCO-managed service routes its egress traffic through the proxy, e.g. containerd pulling an image. We would want to look at the squid service logs in our vSphere bastionhost and ensure that we see containers pull requests (like the nanoserver image we already pull from microsoft's repository). Should show up as something like this:
// in proxy server logs
[10178.262225] bash[1482]: 1698265697.026 47 10.0.14.42 TCP_TUNNEL/200 6046 CONNECT mcr.microsoft.com:443 - HIER_DIRECT/204.79.197.219 -
Acceptance Criteria
e2e subtests are added to our proxy test suite, vsphere-proxy-e2e-operator:
- The first should validate that requests from Windows nodes are routed through the cluster-wide proxy by default
- The second should validate that requests are NOT routed through the cluster-wide proxy if the endpoint is specified in the NO_PROXY
This must be validated both for requests going through Windows CMD and through Powershell, as we have seen differences in how each respects the proxy env vars.
- is caused by
-
WINC-1151 Validate node egress traffic goes through proxy
-
- Closed
-
- relates to
-
OCPBUGS-28637 [node-proxy] powershell proxy http/https request bypass proxy settings
-
- Closed
-
- links to