introduce no proxy setting for git cloning, with defaulter

[bparees]

fixes #10400

bug 1375902

@csrwng ptal

[Miciah]

Should be name=noProxy, right?

[bparees]

yes, fixed, thanks.

On Wed, Sep 14, 2016 at 8:43 PM, Miciah Dashiel Butler Masters <
notifications@github.com> wrote:

@Miciah commented on this pull request.

In pkg/build/api/v1/types.go
#10902 (review):

@@ -350,6 +350,9 @@ type GitBuildSource struct {

// httpsProxy is a proxy used to reach the git repository over https
HTTPSProxy *string json:"httpsProxy,omitempty" protobuf:"bytes,4,opt,name=httpsProxy"
+

• // NoProxy is the list of domains for which the proxy should not be used
• NoProxy *string json:"noProxy,omitempty" protobuf:"bytes,5,opt,name=httpsProxy"

Should be name=noProxy, right?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#10902 (review),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEvl3kPNRpP6pq_jkb93jKT9gE6TEUo5ks5qqEBNgaJpZM4J8gpZ
.

Ben Parees | OpenShift

[bparees]

@openshift/api-review ptal.
@csrwng bump
[test]

[csrwng]

Just one minor change, and extra credit if you add an extended test here: https://github.com/openshift/origin/blob/master/test/extended/builds/proxy.go

[csrwng]

s/NoProxy/noProxy/

[bparees]

@csrwng TC added and a few other changes including a semi-unrelated change to glog to ensure we get proper line number references printed from the glog wrapper instead of "glog.50:blah blah"

[bparees]

[testextended][extended:core(support proxies)]

[csrwng]

LGTM

[smarterclayton]

Why isn't this just an env var to the build?

[bparees]

if it's a var to the build then:

1. we have to whitelist it so it can be set on the privileged container
2. all operations on the privileged container will use that value which makes it riskier(?) and also less granular control over proxy behavior
3. build env vars get used during assemble which might be undesirable
4. build env vars get baked into the final application image which might be undesirable

Also the ship has kinda already sailed w/ the httpproxy/httpsproxy fields so it makes sense to me to put the noproxy field in the same place.

[bparees]

yum flake [test]

[smarterclayton]

You cannot merge things that haven't gotten API approval.

[bparees]

You cannot merge things that haven't gotten API approval.

can i haz api approval? i responded to your questions above.

[bparees]

@smarterclayton internal api reworked, ptal.

[smarterclayton]

Sorry, I should have been clearer. I expected this to look like CommonSpec and have the same config internal and external with the correct inlining statements. Is the only reason you have conversion-gen=false different is because of that? If so my intent was just to have:

type GitBuildSource struct {
  ...
  GitProxyConfig `json:",inline"`
}

type GitProxyConfig struct {
  HTTPProxy *string
  ...
}

[bparees]

sigh. and yes that's why i have conversion-gen=false.

[bparees]

@smarterclayton did you want this struct reworked also?

[smarterclayton]

No you don't have to

[bparees]

[test]

Ben Parees | OpenShift

On Sep 28, 2016 8:47 PM, "OpenShift Bot" notifications@github.com wrote:

continuous-integration/openshift-jenkins/test FAILURE (
https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9455/)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#10902 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEvl3gFBKSgzxQXoAzJUgaxMhM4tRDBKks5quwqxgaJpZM4J8gpZ
.

[openshift-bot]

Evaluated for origin testextended up to 38bef0a

[openshift-bot]

Evaluated for origin test up to 38bef0a

[openshift-bot]

continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin_extended/546/) (Extended Tests: core(support proxies))

[bparees]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9549/)

[openshift-bot]

Evaluated for origin merge up to 38bef0a

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9563/) (Image: devenv-rhel7_5113)

[sdodson]

Worth backporting to 1.3/3.3? Seems we have a few people running into this problem.

[ikke-t]

@sdodson can you please do backport asap? Our 3.3. project at customer is stuck due this. Just figured out an hour ago that it's about not getting no_proxy variable to git in builder image.

[bparees]

Not in my opinion. If you don't want a proxy used during cloning, don't set
a proxy in your Buildconfig git proxy section, and don't set one in the
build defaulter either.

This feature was specifically for the use case where someone set a global
git proxy defaulter value but wanted to ensure proxying wasn't done for a
certain domains, but was done for most domains.

If you don't have that scenario, you should just not configure a git proxy
default value in the build defaulter.

Ben Parees | OpenShift

On Oct 7, 2016 9:32 AM, "Scott Dodson" notifications@github.com wrote:

Worth backporting to 1.3/3.3? Seems we have a few people running into this
problem.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#10902 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEvl3nTScKgLox-MBfI8yJrJFPisY533ks5qxknPgaJpZM4J8gpZ
.

[ikke-t]

I recall proxy has been used for decades in a way that you have http(s)_proxy and no_proxy options, and pretty much all programs obey those. Now we are struggling in datacenter behind proxy, where builder images need to access internet via proxy to get all kinds of dependencies. Same with docker images etc. At the same time there is also git server (gogs) and other utility services running on top of OpenShift. So those need to be accessed via direct access, like normally instructed via no_proxy.

Pretty much everything in our setup finally works now via /etc/sysconfig/{docker,atomic-opensift*} and /etc/profile.d/proxy.sh files setting HTTP(s)_PROXY and NO_PROXY, but the builder images fail to git clone from NO_PROXY addresses. This is misfeature, and don't work as expected. All company internal code fails to build due cloning not working from inside the firewall or from OpenShift containers.

• ikke

[bparees]

Please read my response again. The proxy settings used for git cloning are
specific to git cloning. They have nothing to do with proxy settings for
dependency retrieval or image pulling.

If you don't want git cloning to go through a proxy, don't set a git proxy
value. You don't need this feature backported to solve your problem.

Ben Parees | OpenShift

On Oct 7, 2016 10:40 AM, "Ilkka Tengvall" notifications@github.com wrote:

I recall proxy has been used for decades in a way that you have
http(s)_proxy and no_proxy options, and pretty much all programs obey
those. Now we are struggling in datacenter behind proxy, where builder
images need to access internet via proxy to get all kinds of dependencies.
Same with docker images etc. At the same time there is also git server
(g9gs) and other utility services running on top of OpenShift. So those
need to be accessed via direct access, like normally instructed via
no_proxy.

Pretty much everything in our setup finally works now via
/etc/sysconfig/{docker,atomic-opensift*} and /etc/profile.d/proxy.sh
files setting HTTP(s)_PROXY and NO_PROXY, but the builder images fail to
git clone from NO_PROXY addresses. This is misfeature, and don't work as
expected. All company internal code fails to build.

• ikke

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#10902 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEvl3rW0jNkKFvBbcebAz3oVl2KKhc18ks5qxlnpgaJpZM4J8gpZ
.

[ikke-t]

OK, thaks I'll try that first thing at monday.

[ikke-t]

So now it's monday morning here in UTC+3, and I got to test it. It works. Now internal git builds work, where as the externals fail unless the build config option is manually changed for each such build.

/etc/origin/master/master-config.yaml:

      gitHTTPProxy: ""
      gitHTTPSProxy: ""

Thanks. Next to hunt for similar setting for health checks, which fails next causing restart loops.

[smarterclayton]

Did we ever ship HTTPProxy and HTTPSProxy in the previous release? I.e. did we break the api between 1.3 and 1.4 here?

[csrwng]

We did ship HTTPProxy and HTTPSProxy in the previous release, and they're still there in 1.4 ... the ProxyConfig struct is inline.

[smarterclayton]

The protobuf structure changed. Fortunately we weren't storing protobuf. We can't change external structs without ensuring the protobuf structure is the same On Mar 10, 2017, at 3:08 PM, Cesar Wong <notifications@github.com> wrote: *@csrwng* commented on this pull request. ------------------------------ In pkg/build/api/v1/types.go <#10902 (comment)>:

@@ -349,11 +361,8 @@ type GitBuildSource struct {

// ref is the branch/tag/ref to build. Ref string `json:"ref,omitempty" protobuf:"bytes,2,opt,name=ref"` - // httpProxy is a proxy used to reach the git repository over http - HTTPProxy *string `json:"httpProxy,omitempty" protobuf:"bytes,3,opt,name=httpProxy"` - - // httpsProxy is a proxy used to reach the git repository over https - HTTPSProxy *string `json:"httpsProxy,omitempty" protobuf:"bytes,4,opt,name=httpsProxy"` + // proxyConfig defines the proxies to use for the git clone operation + ProxyConfig `json:",inline" protobuf:"bytes,3,opt,name=proxyConfig"` We did ship HTTPProxy and HTTPSProxy in the previous release, and they're still there in 1.4 ... the ProxyConfig struct is inline. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#10902 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p3a7UZho3wgmIZ2LgCmWog7x3GhBks5rka24gaJpZM4J8gpZ> .