Add support for cluster using http forward proxy #2481

[DerekV]

Adds support for running a cluster where access to external resources must be done through an http forward proxy. This adds a new element to the ClusterSpec, EgressProxy, and then sets up environment variables where appropriate. Access to API servers is additionally assumed to be done through the proxy, in particular this is necessary for AWS VPCs with private topology and egress by proxy (no NAT), at least until Amazon implements VPC Endpoints for the APIs.

Additionally, see my notes in #2481

TODOs

• Consider editing files from nodeup rather than cloudup
• Add support for RHEL
  • Validate on RHEL
• Add support for CoreOS See Support CoreOS with http proxy #3032
• Add support for vSphere See Support for http forward proxy in vSphere #3071
• Minimize services effected
• Support seperate https_proxy configuration See Support different hostname and port for https proxy as http proxy #3069
• Remove unvalidated proxy auth support (save for future PR) See Support http proxy auth #3070
• Add Documentation
• Fill in some sensible default exclusions for the user, allow the user to extend this list
• Address PR review comments
• Either require port or handle nil
• Do API validation (or file an issue for validation) See API Validation for EgressProxySpec #3077
• Add uppercase versions of proxy env vars to cover our bases
• File an issue for unit tests 😬 See Add unit tests for http_proxy support #3072
• Validate cluster upgrades and updates
• Remove ftp_proxy (nothing uses)

---

This change is 

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Hi @DerekV. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[DerekV]

TODO: Add documentation
CLA on its way.

[DerekV]

We will need to open a new ticket to fill this in to add support for VMWare.

[DerekV]

remove

[DerekV]

TODO - We'll want to open an issue to add this support for vpshere, as I am just passing a nil in that path (I have no cluster to validate on currently)
TODO - all the code around username and password for the proxy, since I didn't test it, and open a new ticket to support proxy auth

[DerekV]

I did not explicitly remove this comment from this generated file, should re-add it?

[chrislovecnm]

Already removed in master

[chrislovecnm]

@k8s-bot ok to test

[chrislovecnm]

Travis CI is failing btw

[DerekV]

@chrislovecnm looking at Travis..

[chrislovecnm]

Looks great. Some comments.

[chrislovecnm]

Already removed in master

[chrislovecnm]

Should we have HTTP / HTTPS / and S3?

[chrislovecnm]

@johnzeringue here is an example of EgressProxySpec that is set for HTTP proxy. Both you and @DerekV were working on the same problem at the same time. I think a combination of both your and his PR would be awesome.

Guys let me know if I can assist.

[chrislovecnm]

HTTPProxySpec to HTTPProxy basically don't use the word 'Spec'

[chrislovecnm]

Can we abstract this to a Proxy Object, and then reuse for seperate HTTP and HTTPS?

[DerekV]

Supporting a seperate HTTPS is why I constructed the objects this way. I took it out when I was cleaning up just because I wasn't using it, so it was unexecuted code. Easy to put back in.

[chrislovecnm]

We need to figure out how to exclude the internal AWS urls as well, if the cluster is in AWS.

[DerekV]

I omit them by setting ProxyExcludes. I was going to include documentation about this.

[johnzeringue]

Does this need to be part of the API or can we configure this automatically for users? My idea was that the proxy is only for the benefit of the cluster and not any applications running in it, so I'm struggling to think of edge cases that would need manual excludes.

[chrislovecnm]

This needs to be part of the API, many enterprises will have internal URLs that are not proxied.

[chrislovecnm]

We probably need to separate values for http and https ... thoughts?

[DerekV]

It's only needed if the user has seperate servers or ports for http and https proxies. If you only specify one, most clients will try to used that one for both. I'm guessing the more common configuration is to have one proxy and port for both protocols. However, to support the full gamut of possible configurations, you would need both, and also ftp_proxy as well. My first iteration had this, but I removed it since it wasn't needed, and thought it could be added back if someone requested it.

[chrislovecnm]

we need an if statement here. If no ProxyEnv don't print this block.

[DerekV]

thanks

[chrislovecnm]

{{- if .EgressProxy -}}
        env:
{{ range $name, $value := ProxyEnv }}
        - name: {{ $name }}
          value: {{ $value }}
{{ end }}
{{- end -}}

Works btw.

[chrislovecnm]

Can port be optional?

[DerekV]

What would it default to?

[chrislovecnm]

80 for http, 443 for ssl?

[DerekV]

In practice, it rarely works this way, and ports are nearly always specified in proxy configurations. Both http_proxy and https_proxy work over scheme http to connect to the proxy (typically, some digging tells me https for client-to-proxy is possible but I am not sure how common it is in practice) For example, curl will, if the port is ommited, assume port 1080. wget is undocumented (seems it might use the default for the url scheme in the proxy), and likewise with golang net/http. I see two possible approaches: We could check check for nil, making the port optional in the configuration and here leaving colon and port off if it was omitted in the cluster spec, which would leave behavior up to the specific client and fate. The other option is to require an explicit port for a valid configuration.

[chrislovecnm]

We are going to need some validation around this. See the validation folder in this pkg.

[DerekV]

Will do

[chrislovecnm]

File an issue to do validation.

[chrislovecnm]

/retest

[johnzeringue]

My coworker noted that we had issues with the case variable names in our setup. I think it's okay in this spot but if you're having issues with no_proxy elsewhere try NO_PROXY.

[johnzeringue]

Is this intentional?

[DerekV]

Reverted the file, apparently I didn't need to mess with it.

[chrislovecnm]

yaml template needs if statement

[chrislovecnm]

{{- if .EgressProxy -}}
        env:
{{ range $name, $value := ProxyEnv }}
        - name: {{ $name }}
          value: {{ $value }}
{{ end }}
{{- end -}}

Works btw.

[chrislovecnm]

I fixed the cloudformation unit test here: chrislovecnm@cbad385#diff-ce8b64820650adfbe4912e5395227992

[chrislovecnm]

@DerekV the cluster is not starting during e2e. Have you run a local e2e test with a full build that does not use a proxy?

[DerekV]

Two questions:
Should we add an e2e test (and how does one go about that?)
Should we support proxy auth in this PR or move that to a new PR?

[druidsbane]

After testing it appears that no_proxy needs to be replaced with NO_PROXY. kube-dns and other packages fail to start up properly otherwise. Log scraping and possibly health-checks also fail.

I'd also vote to have all the other variables set to all uppercase to match standard conventions except in /etc/wgetrc where it is documented to be lowercase.

[chrislovecnm]

Thanks @druidsbane!

[chrislovecnm]

Do we have a list of components that need the http proxy config?

[chrislovecnm]

File a ticket for unit tests, we won't be able to have a e2e test for this. We can sorta do an integration test, but we need to look at how.

Can we comment out the auth code or pull it. I would rather have another PR where we add auth in. Does anyone need auth? I do not.

[chrislovecnm]

FInally had a chance to give this PR a good once over.

[chrislovecnm]

This needs to be part of the API, many enterprises will have internal URLs that are not proxied.

[chrislovecnm]

HTTPProxySpec to HTTPProxy basically don't use the word 'Spec'

[chrislovecnm]

Can we make update the case? Where are we using NO_PROXY

[chrislovecnm]

Can we pull User and Password for now? You can comment out.

[chrislovecnm]

File an issue to do validation.

[chrislovecnm]

shall we remove auth stuff?

[chrislovecnm]

pull auth please

[chrislovecnm]

remove auth

[chrislovecnm]

@andrewsykim should we use a bytes.Buffer here? 🤔

[chrislovecnm]

Oh, we need to support more than just Debian. kops supports RHEL, Centos, Ubuntu, CoreOS, and Debian. We are probably going to need to move this into nodeup. We do not check the OS type when executing this, and this may be getting messy enough that we may need nodeup to do this. Let me sleep on it, and can you ping me tomorrow via slack?

Bottom line we need to support apt, yum and whatever the heck CoreOS uses.

[chrislovecnm]

I am also reading https://docs.docker.com/engine/admin/systemd/#httphttps-proxy

1. /etc/default/docker may not exist unless docker is installed. We do not have that guarantee as people use there own images.
2. Since you echo'ed it into /etc/systemd/system.conf do we even need the docker config settings?

[chrislovecnm]

Another question for you, not sure what is going on in protokube.

[chrislovecnm]

Don't we need to test if we need to write this out? A bit confused.

[DerekV]

we should skip if it isn't set.

[chrislovecnm]

@DerekV take a peek at chrislovecnm@cfe1427#diff-d510984f3211ef071e61626401f1f793 I have not tested it yet, but I am thinking it should support different distros.

[chrislovecnm]

Fix an issue for you #3032

[DerekV]

We should use the EgressProxySpec object instead of reading from the os environment.

[DerekV]

@chrislovecnm Let's change this back to using the EgressProxySpec?

[DerekV]

✔️

[DerekV]

EgressProxy is optional, having it be nil is not an error to me, returning an empty map means this function could be composed with others that return environment variables.

[DerekV]

Shouldn't we use the EgressProxySpec here?

[DerekV]

Use EgressProxy not os.Getenv

[k8s-github-robot]

@DerekV PR needs rebase

[DerekV]

@chrislovecnm I'm all set, do you see anything else?

[justinsb]

This looks really good :-)

I had a few minor questions. The only big one is - as always - on the API itself (the API being the thing that is very hard to change, hence I am such a stickler for it!). Should egressProxy be egress, so that this is comparable to the egress option we've defined on subnets. i.e. is this a replacement for a NAT gateway? Or would people use an HTTP proxy and a NAT gateway (or VPN gateway)?

[justinsb]

Looking good!

[justinsb]

We do have egress which is where we configure a natGateway. Currently that is defined on the subnet level, because of the limitations of NAT subnets. We should consider whether this is the same thing, and whether we want to expand egress to cover this. My knee-jerk is yes...

(In practice, we only have to preserve serialized API compatibility, so this means renaming the field. We can harmonize the two fields later.)

[justinsb]

On the flip-side, I guess the argument is that we could have both egress and egressProxy. i.e. we want to use an HTTP proxy, but we also want to tunnel through a VPN / gateway.

I'm not the expert here - if http proxy & gateway are both possible, then this makes sense to me.

[DerekV]

Yes, I think conceivably the http proxy would be in addition to one or more of these other options.

[justinsb]

👍 easy to change later (add an httpsProxy field), great to call out the limitation explicitly.

[DerekV]

Yep! That was my intent. I opened an issue to track it (#3069)

[justinsb]

So this is only going to work for layer 7 proxies, and if we - for example - but a NAT gateway in here it would not work as expected. That said I think this is fine, it can be a validation error. YAGNI :-)

[justinsb]

Suggest removal of this one (it could be v(8), but I think just remove)

[DerekV]

Crap! I meant to remove those tracer logs, was troubleshooting something this weekend. Thanks

[justinsb]

v(8) or remove?

[justinsb]

httpProxyUrl is always going to be empty at this point in the code, we created the variable a few lines above...

[DerekV]

Good catch. There's something else here that is more subtle... the egressProxy specifies a "Host" not a "URL". This means the transport is not really expected to be specified in the host string. In most cases, the transport from client to proxy is http, so for this PR this is what we assume, though it is possible in some situations to handle encryption from client to proxy, via https. To support this feature, we would just add an api for HTTPProxy.Transport. Meanwhile, what I think we wanted here was for httpProxyUrl to be ps.HTTPProxy.Host, I'll make that change now.

[justinsb]

Yes - I am very wary of doing stuff in the bootstrap script.

I guess the argument here is that we need the proxy to download nodeup. That makes sense.

We should move the rest of this to nodeup asap though...

[justinsb]

Aside: I am wondering if we should inline-expand the UserData during the tests, just so these diffs are less annoying :-)

[DerekV]

My personal impulse is that, in a perfect world, it would be broken up into a large series of property-by-property based tests rather than a byte for byte test. That refactor would be a time consuming one, so I guess it depends on how much time it would save. Errors and changes would definitely be clearer.

[justinsb]

Could we check if len(ProxyEnv) == 0?

[DerekV]

I feel like there was some back and forth on what the check should be, not sure there is any particular reason I ended up with this one.

[justinsb]

V(8) or remove?

[DerekV]

I'll remove the most of these tracer logs or v(8) if I think they might be interesting enough

[chrislovecnm]

V(8) then please

[chrislovecnm]

/ok-to-test

[justinsb]

As we discussed in office hours, I think you're right and we do want to keep egressProxy even if we eventually have a top-level egress option (because layer 7 vs layer 4, i.e. they are not exclusive).

If you want to do a pass on some of the smaller items (e.g. the logging) then I think we can get this merged :-)

[k8s-github-robot]

@DerekV PR needs rebase

[DerekV]

Should I also squash to one commit? What is preferred?

[DerekV]

@chrislovecnm did I address all your requested changes OK?

[chrislovecnm]

/lgtm
/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DerekV, chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• OWNERS [chrislovecnm]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue