Bug 1771564: pkg/asset/manifests/proxy: Link trustedCA for transparent proxies

[wking]

Folks may want to configure additional CAs even in the absence of an explicitly-configured proxy (e.g. because they are using a transparent man-in-the-middle proxy). With this commit, we set the proxy config to point at the trusted CA bundle regardless of whether the httpProxy or httpsProxy properties were set.

This also opens us up to folks who want to set additional CAs for other purposes (e.g. connecting to a local registry) by leaning on the network-operator's injection tooling and the proxy config's cluster-scoped trustedCA property. That's cheating a bit, and for things like registry access there may be more appropriate operator-level configs that we could be setting. But the installer-level additionalTrustBundle isn't documented as proxy-specific, so I think we want to adjust the installer as we go to put the configured trust bundle in the appropriate place to get the cluster components to pick it up, and at the moment the proxy config is that place.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wking]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@wking: This pull request references Bugzilla bug 1771564, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1771564: pkg/asset/manifests/proxy: Link trustedCA for transparent proxies

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[abhinavdahiya]

/hold

Folks may want to configure additional CAs even in the absence of an explicitly-configured proxy (e.g. because they are using a transparent man-in-the-middle proxy).

transparent and configuration are weird together.

This also opens us up to folks who want to set additional CAs for other purposes (e.g. connecting to a local registry) by leaning on the network-operator's injection tooling and the proxy config's cluster-scoped trustedCA property.

i don't like us hacking this, because this is only true for components that think they have to talk using proxy and there isn't a requirement that every one needs to do that yet.

[wking]

transparent and configuration are weird together.

Can you elaborate on this?

i don't like us hacking this, because this is only true for components that think they have to talk using proxy and there isn't a requirement that every one needs to do that yet.

Everyone that might need to go through a proxy is already required to respect the proxy's trustedCA, right? That seems like it covers most components hitting out-of-cluster endpoints. The only exception would be components that only hit cloud APIs that are known to never need proxying, right? I dunno how many of those there are...

And I think my "I think we want to adjust the installer as we go to put the configured trust bundle in the appropriate place to get the cluster components to pick it up, and at the moment the proxy config is that place." is sound. If you think "proxy config is not good enough", then we probably want installer logic to fatally error or at least warn if additionalTrustBundle is set but neither httpProxy nor httpsProxy are set, right?

[wking]

/retest

The CI-cluster thing that lead to all the system:anonymous errors was fixed with openshift/release#5875.

[sdodson]

I don't think we should do this. To me the Installer is doing what it should be. Other components should be responsible for populating the CA throughout the cluster whether or not a proxy is configured. To be discussed during group-g arch call on Thursday.

[iamemilio]

The installer should always propogate CA bundles to the components that need them. Whether or not this is a valid long term solution, we do need a short term solution.

[wking]

/retest

Still stuck on the same images job. Maybe the failure was cached? If so, cache should have expired by now.

[wking]

Better way to bump tests, I just rebased onto master with 5e174080c -> a55be4c :p.

[iamemilio]

/test e2e-openstack

test failed due to infra failure

[openshift-ci-robot]

@wking: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	a55be4c	link	/test e2e-aws-scaleup-rhel7
ci/prow/e2e-libvirt	a55be4c	link	/test e2e-libvirt

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[iamemilio]

/test e2e-openstack

[wking]

If we land this (and maybe even if we don't?), we'll want to also update logic like this CVO code that is currently only consuming trustedCA when httpsProxy is set.

[abhinavdahiya]

closing in favor of concensus from openshift/enhancements#115

/close

[openshift-ci-robot]

@abhinavdahiya: Closed this PR.

Details

In response to this:

closing in favor of concensus from openshift/enhancements#115

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.