New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
introduce no proxy setting for git cloning, with defaulter #10902
Conversation
@@ -350,6 +350,9 @@ type GitBuildSource struct { | |||
|
|||
// httpsProxy is a proxy used to reach the git repository over https | |||
HTTPSProxy *string `json:"httpsProxy,omitempty" protobuf:"bytes,4,opt,name=httpsProxy"` | |||
|
|||
// NoProxy is the list of domains for which the proxy should not be used | |||
NoProxy *string `json:"noProxy,omitempty" protobuf:"bytes,5,opt,name=httpsProxy"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be name=noProxy
, right?
03fa246
to
919e3f0
Compare
yes, fixed, thanks. On Wed, Sep 14, 2016 at 8:43 PM, Miciah Dashiel Butler Masters <
Ben Parees | OpenShift |
919e3f0
to
c15848e
Compare
@openshift/api-review ptal. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one minor change, and extra credit if you add an extended test here: https://github.com/openshift/origin/blob/master/test/extended/builds/proxy.go
@@ -350,6 +350,9 @@ type GitBuildSource struct { | |||
|
|||
// httpsProxy is a proxy used to reach the git repository over https | |||
HTTPSProxy *string `json:"httpsProxy,omitempty" protobuf:"bytes,4,opt,name=httpsProxy"` | |||
|
|||
// NoProxy is the list of domains for which the proxy should not be used |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/NoProxy/noProxy/
58ed89c
to
5cc9fa6
Compare
@csrwng TC added and a few other changes including a semi-unrelated change to glog to ensure we get proper line number references printed from the glog wrapper instead of "glog.50:blah blah" |
[testextended][extended:core(support proxies)] |
LGTM |
@@ -401,6 +401,9 @@ type GitBuildSource struct { | |||
|
|||
// HTTPSProxy is a proxy used to reach the git repository over https | |||
HTTPSProxy *string | |||
|
|||
// NoProxy is the list of domains for which the proxy should not be used | |||
NoProxy *string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why isn't this just an env var to the build?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it's a var to the build then:
- we have to whitelist it so it can be set on the privileged container
- all operations on the privileged container will use that value which makes it riskier(?) and also less granular control over proxy behavior
- build env vars get used during assemble which might be undesirable
- build env vars get baked into the final application image which might be undesirable
Also the ship has kinda already sailed w/ the httpproxy/httpsproxy fields so it makes sense to me to put the noproxy field in the same place.
yum flake [test] |
You cannot merge things that haven't gotten API approval. |
can i haz api approval? i responded to your questions above. |
c4efad1
to
a90cde5
Compare
@smarterclayton internal api reworked, ptal. |
a90cde5
to
9e9e94b
Compare
HTTPSProxy *string | ||
// ProxyConfig defines the proxies to use for the git clone operation | ||
// +k8s:conversion-gen=false | ||
ProxyConfig ProxyConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I should have been clearer. I expected this to look like CommonSpec
and have the same config internal and external with the correct inlining statements. Is the only reason you have conversion-gen=false different is because of that? If so my intent was just to have:
type GitBuildSource struct {
...
GitProxyConfig `json:",inline"`
}
type GitProxyConfig struct {
HTTPProxy *string
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sigh. and yes that's why i have conversion-gen=false.
9e9e94b
to
1035f14
Compare
@@ -15,6 +15,9 @@ type BuildDefaultsConfig struct { | |||
// GitHTTPSProxy is the location of the HTTPSProxy for Git source | |||
GitHTTPSProxy string `json:"gitHTTPSProxy,omitempty"` | |||
|
|||
// GitNoProxy is the list of domains for which the proxy should not be used | |||
GitNoProxy string `json:"gitNoProxy,omitempty"` | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smarterclayton did you want this struct reworked also?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No you don't have to
1035f14
to
a9a11fe
Compare
66b5fdd
to
cbdd84b
Compare
[test] Ben Parees | OpenShift On Sep 28, 2016 8:47 PM, "OpenShift Bot" notifications@github.com wrote:
|
cbdd84b
to
9493cee
Compare
b2cf645
to
6636959
Compare
6636959
to
38bef0a
Compare
Evaluated for origin testextended up to 38bef0a |
Evaluated for origin test up to 38bef0a |
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin_extended/546/) (Extended Tests: core(support proxies)) |
[merge] |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9549/) |
Evaluated for origin merge up to 38bef0a |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9563/) (Image: devenv-rhel7_5113) |
Worth backporting to 1.3/3.3? Seems we have a few people running into this problem. |
@sdodson can you please do backport asap? Our 3.3. project at customer is stuck due this. Just figured out an hour ago that it's about not getting no_proxy variable to git in builder image. |
Not in my opinion. If you don't want a proxy used during cloning, don't set This feature was specifically for the use case where someone set a global If you don't have that scenario, you should just not configure a git proxy Ben Parees | OpenShift On Oct 7, 2016 9:32 AM, "Scott Dodson" notifications@github.com wrote:
|
I recall proxy has been used for decades in a way that you have http(s)_proxy and no_proxy options, and pretty much all programs obey those. Now we are struggling in datacenter behind proxy, where builder images need to access internet via proxy to get all kinds of dependencies. Same with docker images etc. At the same time there is also git server (gogs) and other utility services running on top of OpenShift. So those need to be accessed via direct access, like normally instructed via no_proxy. Pretty much everything in our setup finally works now via /etc/sysconfig/{docker,atomic-opensift*} and /etc/profile.d/proxy.sh files setting HTTP(s)_PROXY and NO_PROXY, but the builder images fail to git clone from NO_PROXY addresses. This is misfeature, and don't work as expected. All company internal code fails to build due cloning not working from inside the firewall or from OpenShift containers.
|
Please read my response again. The proxy settings used for git cloning are If you don't want git cloning to go through a proxy, don't set a git proxy Ben Parees | OpenShift On Oct 7, 2016 10:40 AM, "Ilkka Tengvall" notifications@github.com wrote:
|
OK, thaks I'll try that first thing at monday. |
So now it's monday morning here in UTC+3, and I got to test it. It works. Now internal git builds work, where as the externals fail unless the build config option is manually changed for each such build. /etc/origin/master/master-config.yaml:
Thanks. Next to hunt for similar setting for health checks, which fails next causing restart loops. |
// httpsProxy is a proxy used to reach the git repository over https | ||
HTTPSProxy *string `json:"httpsProxy,omitempty" protobuf:"bytes,4,opt,name=httpsProxy"` | ||
// proxyConfig defines the proxies to use for the git clone operation | ||
ProxyConfig `json:",inline" protobuf:"bytes,3,opt,name=proxyConfig"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did we ever ship HTTPProxy and HTTPSProxy in the previous release? I.e. did we break the api between 1.3 and 1.4 here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We did ship HTTPProxy and HTTPSProxy in the previous release, and they're still there in 1.4 ... the ProxyConfig struct is inline.
The protobuf structure changed. Fortunately we weren't storing protobuf.
We can't change external structs without ensuring the protobuf structure is
the same
On Mar 10, 2017, at 3:08 PM, Cesar Wong <notifications@github.com> wrote:
*@csrwng* commented on this pull request.
------------------------------
In pkg/build/api/v1/types.go
<#10902 (comment)>:
@@ -349,11 +361,8 @@ type GitBuildSource struct {
// ref is the branch/tag/ref to build.
Ref string `json:"ref,omitempty" protobuf:"bytes,2,opt,name=ref"`
- // httpProxy is a proxy used to reach the git repository over http
- HTTPProxy *string `json:"httpProxy,omitempty"
protobuf:"bytes,3,opt,name=httpProxy"`
-
- // httpsProxy is a proxy used to reach the git repository over https
- HTTPSProxy *string `json:"httpsProxy,omitempty"
protobuf:"bytes,4,opt,name=httpsProxy"`
+ // proxyConfig defines the proxies to use for the git clone operation
+ ProxyConfig `json:",inline" protobuf:"bytes,3,opt,name=proxyConfig"`
We did ship HTTPProxy and HTTPSProxy in the previous release, and they're
still there in 1.4 ... the ProxyConfig struct is inline.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#10902 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p3a7UZho3wgmIZ2LgCmWog7x3GhBks5rka24gaJpZM4J8gpZ>
.
|
fixes #10400
bug 1375902
@csrwng ptal