Unable to connect to AWS ECR if proxy is set within Octopus and outbound traffic is restricted

[OctoStu]

Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our support team so we can triage your issue, making sure it's handled appropriately.

Prerequisites

• I have verified the problem exists in the latest version
• I have searched open and closed issues to make sure it isn't already reported
• I have written a descriptive issue title
• I have linked the original source of this report
• I have tagged the issue appropriately (area/*, kind/bug, tag/regression?)

The bug

Unable to connect to an AWS ECR if outbound traffic is blocked on the network and proxy details are set within Octopus.

What I expected to happen

If the proxy settings are entered, it should be able to connect to AWS ECR

Steps to reproduce

Haven't reproduced

Screen capture

N/A

Log excerpt

Unhandled error on request: POST http://xxxxxx:9999/api/Spaces-1/feeds 1d46bda86aff411085e9dd219d46edc8 by xxx, xxx /External : Unable to retrieve AWS Authorization token:

    One or more errors occurred. (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.) System.Security.Authentication.AuthenticationException: Unable to retrieve AWS Authorization token:

    One or more errors occurred. (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.)

   at Octopus.Core.Packages.AwsElasticContainerRegistry.AwsElasticContainerRegistryCredentials.GetAuthorizationData(String accessKey, SensitiveString secretKey, String region) in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Core\Packages\AwsElasticContainerRegistry\AwsElasticContainerRegistryCredentials.cs:line 91

   at Octopus.Core.Packages.AwsElasticContainerRegistry.AwsElasticContainerRegistryCredentials.RetrieveTempoaryCredentials(String accessKey, SensitiveString secretKey, String region, Boolean bypassCache) in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Core\Packages\AwsElasticContainerRegistry\AwsElasticContainerRegistryCredentials.cs:line 30

   at Octopus.Core.Model.AwsElasticContainerRegistry.AwsElasticContainerRegistryFeed.get_AwsCredentials() in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Core\Model\AwsElasticContainerRegistry\AwsElasticContainerRegistryFeed.cs:line 48

   at Octopus.Core.Model.AwsElasticContainerRegistry.AwsElasticContainerRegistryFeed.get_FeedUri() in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Core\Model\AwsElasticContainerRegistry\AwsElasticContainerRegistryFeed.cs:line 53

   at FluentValidation.Internal.Extensions.<>c__DisplayClass9_0`2.<CoerceToNonGeneric>b__0(Object x) in /home/xxx/code/FluentValidation/src/FluentValidation/Internal/Extensions.cs:line 155

   at FluentValidation.Validators.PropertyValidatorContext.<>c__DisplayClass26_0.<.ctor>b__0() in /home/xxx/code/FluentValidation/src/FluentValidation/Validators/PropertyValidatorContext.cs:line 53

   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)

   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)

   at System.Lazy`1.CreateValue()

   at FluentValidation.Validators.PredicateValidator.IsValid(PropertyValidatorContext context) in /home/xxx/code/FluentValidation/src/FluentValidation/Validators/PredicateValidator.cs:line 38

   at FluentValidation.Validators.PropertyValidator.Validate(PropertyValidatorContext context) in /home/xxx/code/FluentValidation/src/FluentValidation/Validators/PropertyValidator.cs:line 58

   at FluentValidation.Internal.PropertyRule.Validate(ValidationContext context)+MoveNext() in /home/xxx/code/FluentValidation/src/FluentValidation/Internal/PropertyRule.cs:line 282

   at System.Linq.Enumerable.SelectManySingleSelectorIterator`2.MoveNext()

   at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext()

   at FluentValidation.AbstractValidator`1.Validate(ValidationContext`1 context) in /home/xxx/code/FluentValidation/src/FluentValidation/AbstractValidator.cs:line 115

   at Octopus.Server.Web.Infrastructure.Api.CustomResponder`1.ValidateModel[TModel](IEnumerable`1 validators, TModel model) in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Server\Web\Infrastructure\Api\CustomResponder.cs:line 347

   at Octopus.Server.Web.Infrastructure.Api.CustomCreateResponder`3.ExecuteRegistered() in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Server\Web\Infrastructure\Api\CustomCreateResponder.cs:line 97

   at Octopus.Server.Web.Infrastructure.Api.Responder`1.Respond(TDescriptor options, NancyContext context) in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Server\Web\Infrastructure\Api\Responder.cs:line 46

   at Octopus.Server.Web.Infrastructure.OctopusNancyModule.<>c__DisplayClass14_0.<get_Routes>b__1(Object o, CancellationToken x) in C:\buildAgent\work\77a480eb4131d316\source\Octopus.Server\Web\Infrastructure\OctopusNancyModule.cs:line 81

   at Nancy.Routing.Route`1.Invoke(DynamicDictionary parameters, CancellationToken cancellationToken)

   at Nancy.Routing.DefaultRouteInvoker.Invoke(Route route, CancellationToken cancellationToken, DynamicDictionary parameters, NancyContext context)

   at Nancy.Routing.DefaultRequestDispatcher.Dispatch(NancyContext context, CancellationToken cancellationToken)

   at Nancy.NancyEngine.InvokeRequestLifeCycle(NancyContext context, CancellationToken cancellationToken, IPipelines pipelines)

Affected versions

Octopus Server:

Workarounds

Setting the proxy at the OS level will work

Links

Internal link - https://octopus.zendesk.com/agent/tickets/67788

We (not me, JW - ty!) noticed that the code for this may not work using a proxy'd configuration from the web request proxy setting - https://github.com/OctopusDeploy/OctopusDeploy/blob/master/source/Octopus.Core/Packages/AwsElasticContainerRegistry/AwsElasticContainerRegistryCredentials.cs#L75-L77