Added support for env *_PROXY variables for agent loadbalancer #8982
Conversation
There was a problem hiding this comment.
This needs to be opt-in. As I mentioned in the issue, we DO NOT want the agent to use a proxy by default, even if one is configured. Suddenly doing so after an upgrade could be a breaking change for many users. If you want to enable this behavior, it needs to be gated on a CLI flag or environment variable.
That is not an issue to do so, however I fail to imagine a case where anyone is using a proxy, but not using a proxy at the same time, as the proxy variables are taken into account everywhere else in the code. |
Consider someone who has configured a HTTP proxy, but has not excluded their server addresses or hostnames via NO_PROXY. Currently their agents are connecting directly to the server due to the lack of proxy support. With this change, the connection would now be made via the proxy, despite the fact that the proxy may not allow that access, or even have connectivity to the server.
I don't believe this statement is correct. There are other places in the code where the agent does not include proxy support, for example the client access helpers that facilitate retrieving agent configuration do not use the default HTTP client and should not be using the proxy: Lines 31 to 41 in 3f23723 |
That I get, it is probably better to be opt-in if people already made arrangements to make it work another way. I will go through an env variable as it seems the easiest way for a newbie in Go.
&http.Client is using environment variables such as *_PROXY, as opposite to the Dialer that is created in the loadbalancer code. Overall you're right about the opt-in part, but I also believe we should consider this option to be core as it would make more sense, if it is ever doable. Will come back with updated changes, thanks for your time ! |
We (as heavy users of K3s) only want to use the proxy for pulling images. Yes, there is I am pretty sure that we have quite a few clusters running (hard to reach, because air-gapped) where we never came around to migrate to the |
|
Hello, I've introduced the USE_PROXY variable, that can either be set to true or nothing to indicate if you're willing to use a proxy. Please let me know if you need anything, this may not be the cleanest PR yet. |
|
I have no horse in this race, so please don't mind my comments too much. But I wonder if introducing yet another variable is really the best way to approach this. Idea: Instead of adding a boolean variable This would also have the added benefit that users could configure another proxy address here that may differ from the system- or containerd proxy configuration. |
http.Client doesn't manage proxies, that is part of http.Transport. The Transports for the insecure client, and the one created to validate the cluster CA, do not set |
Your comments are valuable since you are using a setup I didn't know was in place! I prefer the boolean approach (renaming the env variable to be more explicit), since it looks to be to good practice to setup the proxy variables in one file. |
As you may be right, even if you were to setup http.Transport method it would ignore proxies as I believe these requests are going to the LB, hence localhost, at what point proxies are ignored by the method. Anyway, tests were conclusive in production with the newly built agent, would you have any remarks on the actualized code on that PR ? |
There was a problem hiding this comment.
Would you mind doing a rebase, squashing all the commits, and making sure that the resulting commit is properly signed-off? It looks like DCO is failing.
You also need to go mod tidy and check in the resulting changes. go-http-dialer is no longer an indirect dep, since it's used directly by k3s - so the current go.mod is incorrect.
Types of Changes
To me, this is a bugfix as the doc specifies we can use these env variables for k3s: https://docs.k3s.io/advanced#configuring-an-http-proxy.
There is also this documentation that may be misleading as it suggests that in addition to proxies, you should open your network to various URLs, which is incompatible: https://docs.k3s.io/installation/requirements#networking.
Verification
You can test the new agent on a airgapped environment, where internet access is only possible through an external proxy.
This was tested in production on such environment on my end.
Testing
There are no linked unit tests as this is the first time I'm working on Go.
Linked Issues
Linked issue is: #8976
User-Facing Change
Further Comments
As this is a known issue for net.Dialer, this fix is based on another library which can be found on: https://github.com/mwitkow/go-http-dialer