Allow to use proxy to connect to OSP cloud

When using Proxy and the installer is configured
on a restricted installation, Kuryr bootstrap
can't progress as the http client is not
configured to use Proxy. This commit ensures
proxy is used by relying on the cluster proxy
resource instead of relying on cvo to injecting
the proxy env vars.

bindata/network/kuryr/006-controller.yaml

@@ -52,6 +52,18 @@ spec:
           value: "{{.KUBERNETES_SERVICE_PORT}}"
         - name: KUBERNETES_SERVICE_HOST
           value: "{{.KUBERNETES_SERVICE_HOST}}"
+{{- if .HttpProxy }}
+        - name: HTTP_PROXY
+          value: {{ .HttpProxy }}
+{{- end }}
+{{- if .HttpsProxy }}
+        - name: HTTPS_PROXY
+          value: {{ .HttpsProxy }}
+{{- end }}
+{{- if .NoProxy }}
+        - name: NO_PROXY
+          value: {{ .NoProxy }}
+{{- end }}
         volumeMounts:
         - name: config-volume
           mountPath: "/etc/kuryr"

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/stretchr/testify v1.6.1
 	github.com/vishvananda/netlink v1.1.0
 	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae // indirect
-	golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb // indirect
+	golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.20.0
 	k8s.io/apiextensions-apiserver v0.20.0

pkg/bootstrap/types.go

@@ -25,6 +25,9 @@ type KuryrBootstrapResult struct {
 	WebhookCert              string
 	WebhookKey               string
 	UserCACert               string
+	HttpsProxy               string
+	HttpProxy                string
+	NoProxy                  string
 }
 
 type OVNBootstrapResult struct {

pkg/network/kuryr.go

@@ -43,6 +43,10 @@ func renderKuryr(conf *operv1.NetworkSpec, bootstrapResult *bootstrap.BootstrapR
 	// OpenStack cloud CA certificate provided by the user to the installer
 	data.Data["UserCACertificate"] = b.UserCACert
 
+	data.Data["HttpsProxy"] = b.HttpsProxy
+	data.Data["HttpProxy"] = b.HttpProxy
+	data.Data["NoProxy"] = b.NoProxy
+
 	// general kuryr options
 	data.Data["ResourceTags"] = "openshiftClusterID=" + b.ClusterID
 	data.Data["PodSecurityGroups"] = strings.Join(b.PodSecurityGroups, ",")

pkg/platform/openstack/kuryr_bootstrap.go

@@ -6,29 +6,33 @@ import (
 	"crypto/x509"
 	b64 "encoding/base64"
 	"fmt"
+	"golang.org/x/net/http/httpproxy"
 	"k8s.io/api/core/v1"
 	"log"
 	"net"
 	"net/http"
+	"net/url"
+	"os"
 	"regexp"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"strings"
 
 	"github.com/Masterminds/semver"
-	"github.com/pkg/errors"
-	"gopkg.in/yaml.v2"
-
 	"github.com/gophercloud/gophercloud"
 	"github.com/gophercloud/gophercloud/openstack"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/extensions/security/rules"
 	"github.com/gophercloud/gophercloud/openstack/networking/v2/subnets"
 	"github.com/gophercloud/utils/openstack/clientconfig"
+	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/cluster-network-operator/pkg/bootstrap"
 	"github.com/openshift/cluster-network-operator/pkg/names"
 	"github.com/openshift/cluster-network-operator/pkg/platform/openstack/util/cert"
+	"github.com/pkg/errors"
+	"gopkg.in/yaml.v2"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
 
 	confv1 "github.com/openshift/api/config/v1"
 	operv1 "github.com/openshift/api/operator/v1"
@@ -292,18 +296,55 @@ func BootstrapKuryr(conf *operv1.NetworkSpec, kubeClient client.Client) (*bootst
 		return nil, errors.Wrap(err, "failed to get cloud provider CA certificate")
 	}
 
+	// We cannot rely on the inject-proxy annotation because the CVO, which is
+	// responsible to inject the proxy env vars, is not available before CNO.
+	proxyConfig := &configv1.Proxy{}
+	err = kubeClient.Get(context.TODO(), types.NamespacedName{Name: names.CLUSTER_CONFIG}, proxyConfig)
+	if err != nil && !apierrors.IsNotFound(err) {
+		return nil, err
+	}
+
+	transport := http.Transport{}
+	noProxy := proxyConfig.Status.NoProxy
+	httpProxy := proxyConfig.Status.HTTPProxy
+	httpsProxy := proxyConfig.Status.HTTPSProxy
+	hasProxy := len(httpsProxy) > 0 || len(httpProxy) > 0 || len(noProxy) > 0
+	if hasProxy {
+		os.Setenv("NO_PROXY", noProxy)
+		os.Setenv("HTTP_PROXY", httpProxy)
+		os.Setenv("HTTPS_PROXY", httpsProxy)
+		// The env vars are not propagated to different libs when not set on
+		// main(), so we'll load it directly here and rely on http lib to choose
+		// the proxy URL.
+		proxyfunc := httpproxy.FromEnvironment().ProxyFunc()
+		transport.Proxy = func(req *http.Request) (*url.URL, error) {
+			return proxyfunc(req.URL)
+		}
+		provider.HTTPClient = http.Client{Transport: &transport}
+
+		// Due to an issue in the urllib3 library https://github.com/psf/requests/issues/5939
+		// Kuryr will currently default to use http scheme when https is set.
+		proxyUrl, err := url.Parse(httpsProxy)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to parse cluster-wide proxy https URL")
+		}
+
+		if proxyUrl.Scheme == "https" {
+			if len(httpProxy) > 0 {
+				log.Printf("Kuryr requires proxy to use http scheme. Defaulting proxy to %s", httpProxy)
+				httpsProxy = httpProxy
+			} else {
+				return nil, errors.New("Kuryr currently requires proxy to use http scheme.")
+			}
+		}
+	}
+
 	if userCACert != "" {
 		certPool, err := x509.SystemCertPool()
 		if err == nil {
 			certPool.AppendCertsFromPEM([]byte(userCACert))
-			client := http.Client{
-				Transport: &http.Transport{
-					TLSClientConfig: &tls.Config{
-						RootCAs: certPool,
-					},
-				},
-			}
-			provider.HTTPClient = client
+			transport.TLSClientConfig = &tls.Config{RootCAs: certPool}
+			provider.HTTPClient = http.Client{Transport: &transport}
 		}
 	}
 
@@ -725,6 +766,9 @@ func BootstrapKuryr(conf *operv1.NetworkSpec, kubeClient client.Client) (*bootst
 			WebhookKey:               b64.StdEncoding.EncodeToString(webhookKey),
 			WebhookCert:              b64.StdEncoding.EncodeToString(webhookCert),
 			UserCACert:               userCACert,
+			HttpProxy:                httpProxy,
+			HttpsProxy:               httpsProxy,
+			NoProxy:                  noProxy,
 		}}
 	return &res, nil
 }