MG-66: Update egress proxy behaviour for support-log-gather operator #1903
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@praveencodes: This pull request references MG-66 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
|
||
| `mustgather.spec.proxyConfig` if set by the user in the CR, will be propagated as pod environment variables to the gather and upload containers of the Job. The configuration set in the resource is given precedence over the cluster-wide proxy settings set on the cluster through `configv1.Proxy` object. Due to the nature of SOCKS proxy protocol and the HTTP "CONNECT" verb in most proxy servers used with OpenShift, the upload process using SFTP's TCP can essentially make a CONNECT request over netcat and intercept to upload the mustgather bundle even when on a airgapped proxy setup. | ||
| The operator inherits cluster-wide proxy settings (typically propagated from the configv1.Proxy object via the operator's environment variables) and passes them to the upload container of the Job. The upload process uses an HTTP CONNECT proxy via netcat (nc --proxy-type http) as an SSH ProxyCommand, allowing SFTP traffic to tunnel through HTTP proxies commonly used in airgapped OpenShift environments. | ||
|
|
There was a problem hiding this comment.
Let's also mention that the cluster-wide proxy env vars are propagated/managed through OLM directly. If the user wishes to customise it, a cluster-admin can override the HTTP_PROXY, HTTPS_PROXY, NO_PROXY env vars through the OLM Subscription object.
There was a problem hiding this comment.
we should include that the trusted CA config map is copied from the operator to the operand namespace where MustGather CR is present. And, additionally discuss if it should add an ownerReference, given the copied config map will be created by the operator.
| ## Configuring egress proxy for Must Gather Operator | ||
|
|
||
| If a cluster wide egress proxy is configured on the OpenShift cluster, OLM automatically update all the operators' deployments with `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables. | ||
| Those variables are then propagated down to the must gather (operand) controllers by the must gather operator. | ||
|
|
||
| ### Trusted Certificate Authority | ||
|
|
||
| #### Running operator | ||
|
|
||
| Follow the instructions below to let Must Gather Operator trust a custom Certificate Authority (CA). The operator's OLM subscription has to be already created. |
There was a problem hiding this comment.
I don't think we need a doc-style instructions in here,
| ## Configuring egress proxy for Must Gather Operator | ||
|
|
||
| If a cluster wide egress proxy is configured on the OpenShift cluster, OLM automatically update all the operators' deployments with `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables. | ||
| Those variables are then propagated down to the must gather (operand) controllers by the must gather operator. |
There was a problem hiding this comment.
probably, a li'l confusing which "operand controllers" are being referred?
|
/retitle MG-66: Update egress proxy behaviour for support-log-gather operator |
openshift-ci
bot
changed the title
Added the configmap copying and ownerReference. |
|
|
||
| ### Trusted Certificate Authority | ||
|
|
||
| The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). |
There was a problem hiding this comment.
| The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). | |
| The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). |
Small nit, shouldn’t be blocking though.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: swghosh The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/assign @shivprakashmuley /cc @Prashanth684 / @TrilokGeer |
|
@swghosh: GitHub didn't allow me to request PR reviews from the following users: /. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
|
@praveencodes: This pull request references MG-66 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@praveencodes: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Removed the proxy config from CR and use the cluster-wide proxy env vars propagated through OLM. Added information on the support for Certificate Authority (CA) in the must gather operator.