Bug 2003657: Respect user defined proxy's CA cert

[tremes]

This checks if some proxy is defined for the Insights Operator and if so then:

1. Looks at the cluster-wide proxy spec clusterProxy.Spec.TrustedCA.Name to get the name of the config map with the CA cert
2. Gets the corresponding config map from the openshift-config namespaces
3. Tries to read the ca-bundle.crt key from the config map
4. Adds the CA bundle cert to the CA cert pool used in the insightsclient

How to reproduce
It's quite easy to reproduce the actual problem (you can set some proxy in the cluster-wide proxy and observe the IO error), but it's a bit difficult to verify that this fix works. You can check the https://access.redhat.com/articles/4740031. In general you need to do the following:

1. Deploy the mitmproxy to a cluster
2. Extract the mitmproxy-ca-cert.pem from the mitmproxy container (see oc exec -n mitmproxy mitmproxy cat /root/.mitmproxy/mitmproxy-ca-cert.pem > /tmp/mitmproxy-ca-cert.pem (It happened that the mitmproxy container was sometimes killed in my case. Note that you have to extract the cert again in such case!)
3. Create a new config map in openshift-config namespace containing the cert (see oc create cm user-ca-bundle -n openshift-config --from-file=ca-bundle.crt=/tmp/mitmproxy-ca-cert.pem
4. Patch the cluster-wide proxy spec.TrustedCA to point to the new config map (see oc patch proxy cluster --type=json -p '[{"op":"add","path":"/spec/trustedCA","value":{"name":"user-ca-bundle"}}]')
5. Configure the proxy env vars for the IO container:

MY_NO_PROXY=$(oc get network cluster --template '{{(index .status.serviceNetwork 0)}},{{(index .status.clusterNetwork 0).cidr}},localhost')
oc set env deployment/insights-operator HTTP_PROXY=http://mitmproxy.mitmproxy.svc:8080 HTTPS_PROXY=http://mitmproxy.mitmproxy.svc:8080 NO_PROXY=$MY_NO_PROXY

The IO upload should work fine and it should be visible in the mitmproxy log. Image containing this fix is available at quay.io/tremes/respect_proxy_ca

Categories

• Bugfix
• Enhancement
• Backporting
• Others (CI, Infrastructure, Documentation)

Sample Archive

No new data

Documentation

No doc update

Unit Tests

No test. We can think of some integration tests, but we would probably need to deploy mitmproxy container.

Privacy

Yes. There are no sensitive data in the newly collected information.

Changelog

Breaking Changes

No

References

https://issues.redhat.com/browse/???
https://bugzilla.redhat.com/show_bug.cgi?id=2003657 (originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1995937)

[openshift-ci]

@tremes: This pull request references Bugzilla bug 2003657, which is invalid:

• expected the bug to target the "4.10.0" release, but it targets "---" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2003657: Respect user defined proxy's CA cert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tremes]

/bugzilla refresh

[openshift-ci]

@tremes: This pull request references Bugzilla bug 2003657, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.10.0) matches configured target release for branch (4.10.0)
• bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (dmisharo@redhat.com), skipping review request.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[natiiix]

I've checked the code and discussed it a bit, but I didn't have time to test it locally yet, so I'm not giving a definitive approval at the moment. Sorry, but the process is quite complicated and I didn't have enough time today.

[natiiix]

I have tested the provided image on a testing cluster in combination with the mitmproxy and I was able to see that IO has successfully detected the proxy cetrificate and that it was correctly uploading archives.
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: natiiix, tremes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [natiiix,tremes]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@tremes: All pull requests linked via external trackers have merged:

• openshift/insights-operator#495

Bugzilla bug 2003657 has been moved to the MODIFIED state.

In response to this:

Bug 2003657: Respect user defined proxy's CA cert

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.