Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_ports by zhfeng · Pull Request #75256 · openshift/release

zhfeng · 2026-02-25T03:24:47Z

Summary

The hosted cluster kube-apiserver uses a NodePort (e.g. 31498) which is not in squid's allowed_ssl_ports ACL (443, 5000, 6443)
This causes squid to deny CONNECT requests with 403 Forbidden when CI steps access the hosted cluster API through the proxy
Fix: extract the port from the kubeconfig server URL and add it to allowed_ssl_ports before restarting squid

Test plan

Verify the periodic job periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14 no longer fails at the catalogsource step

openshift-ci · 2026-02-25T03:24:51Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

zhfeng · 2026-02-25T03:31:08Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-baremetalds-hypershift-agent-mce-n2minor-guest-f28

openshift-ci-robot · 2026-02-25T03:31:11Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-25T09:01:11Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-baremetalds-hypershift-agent-mce-n2minor-guest-f28

openshift-ci-robot · 2026-02-25T09:01:14Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-26T07:40:56Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-baremetalds-hypershift-agent-mce-n2minor-guest-f28

openshift-ci-robot · 2026-02-26T07:40:59Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-26T12:34:21Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14

openshift-ci-robot · 2026-02-26T12:34:23Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-27T03:40:07Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14

openshift-ci-robot · 2026-02-27T03:40:10Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-27T07:03:12Z

/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14

openshift-ci-robot · 2026-02-27T07:03:14Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

zhfeng · 2026-02-27T08:24:30Z

/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-connected-ovn-dualstack-metal-conformance

openshift-ci-robot · 2026-02-27T08:24:33Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

…ports

zhfeng · 2026-02-27T12:06:51Z

/pj-rehearse ack

openshift-ci-robot · 2026-02-27T12:06:54Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

openshift-ci-robot · 2026-02-27T12:08:11Z

[REHEARSALNOTIFIER]
@zhfeng: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-origin-release-4.16-e2e-agent-disconnected-ovn-dualstack-metal3	openshift/origin	presubmit	Registry content changed
pull-ci-openshift-origin-release-4.16-e2e-agent-connected-ovn-ipv4-metal3	openshift/origin	presubmit	Registry content changed
pull-ci-openshift-origin-release-4.16-e2e-agent-connected-ovn-dualstack-metal3	openshift/origin	presubmit	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-baremetalds-hypershift-agent-mce-n2minor-guest-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.19-periodics-mce-e2e-agent-disconnected-ovn-ipv6-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-n2minor-mgmt-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-critical	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.17-periodics-mce-e2e-agent-connected-ovn-ipv4-metal-compact-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.17-amd64-nightly-baremetalds-hypershift-agent-mce-disconnected-guest-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-4.18-upgrade-from-stable-4.17-baremetalds-agent-hypershift-mce-compact-full-inplace-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-mce-e2e-agent-disconnected-ovn-ipv6-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.19-amd64-nightly-baremetalds-hypershift-agent-mce-n1minor-guest-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-baremetalds-hypershift-agent-mce-mgmt-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.18-periodics-mce-e2e-agent-connected-ovn-ipv4-metal-compact-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.18-periodics-mce-e2e-agent-connected-ovn-ipv4-metal-oadp	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.18-amd64-nightly-baremetalds-hypershift-agent-mce-disconnected-guest-f14-des	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.20-periodics-mce-e2e-agent-critical	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.18-periodics-mce-e2e-agent-disconnected-ovn-ipv6-metal-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-4.20-eus-upgrade-from-4.18-baremetalds-agent-hypershift-mce-compact-full-inplace-f28	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f28-destructive	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-mgmt-f14	N/A	periodic	Registry content changed
periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-connected-ovn-ipv4-manual-conformance	N/A	periodic	Registry content changed
periodic-ci-openshift-openshift-tests-private-release-4.20-amd64-nightly-4.20-eus-upgrade-from-4.18-baremetalds-agent-hypershift-mce-mceupgrade-inplace-f28	N/A	periodic	Registry content changed

A total of 119 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

zhfeng · 2026-02-27T12:08:51Z

/pj-rehearse ack

openshift-ci-robot · 2026-02-27T12:08:53Z

@zhfeng: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

heliubj18 · 2026-02-28T03:59:09Z

/lgtm

openshift-ci · 2026-02-28T03:59:30Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: heliubj18, zhfeng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~ci-operator/step-registry/hypershift/agent/OWNERS~~ [heliubj18]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2026-02-28T04:11:02Z

@zhfeng: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14	`ae9081f`	link	unknown	`/pj-rehearse periodic-ci-openshift-openshift-tests-private-release-4.16-amd64-nightly-baremetalds-hypershift-agent-mce-guest-f14`
ci/rehearse/periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-connected-ovn-dualstack-metal-conformance	`ae9081f`	link	unknown	`/pj-rehearse periodic-ci-openshift-hypershift-release-4.21-periodics-mce-e2e-agent-connected-ovn-dualstack-metal-conformance`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

…ports (openshift#75256)

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 25, 2026

zhfeng force-pushed the fix-hypershift-catalogsource-api-wait branch from 0159fd6 to ae9081f Compare February 26, 2026 12:31

zhfeng changed the title ~~Wait for hosted cluster API before enabling QE catalogsource~~ Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_ports Feb 26, 2026

zhfeng mentioned this pull request Feb 27, 2026

Validate HostedCluster conditions for Agent #74082

Merged

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

7314642

…ports

zhfeng force-pushed the fix-hypershift-catalogsource-api-wait branch from ae9081f to 7314642 Compare February 27, 2026 12:05

zhfeng marked this pull request as ready for review February 27, 2026 12:05

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 27, 2026

openshift-ci bot requested review from avishayt and csrwng February 27, 2026 12:05

openshift-ci-robot added rehearsals-ack Signifies that rehearsal jobs have been acknowledged and removed rehearsals-ack Signifies that rehearsal jobs have been acknowledged labels Feb 27, 2026

openshift-ci-robot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Feb 27, 2026

openshift-ci bot assigned heliubj18 Feb 28, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 28, 2026

openshift-merge-bot bot merged commit 75cf8b0 into openshift:main Feb 28, 2026
9 checks passed

wangke19 pushed a commit to wangke19/release that referenced this pull request Mar 4, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

cce917d

…ports (openshift#75256)

zhfeng added a commit to zhfeng/release that referenced this pull request Mar 4, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

2d17a18

…ports (openshift#75256)

zhfeng mentioned this pull request Mar 4, 2026

OCPQE-31708: Add all hosted cluster service NodePorts to squid allowed_ssl_ports #75701

Merged

3 tasks

rrasouli pushed a commit to rrasouli/release that referenced this pull request Mar 5, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

9155904

…ports (openshift#75256)

sdodson pushed a commit to sdodson/release that referenced this pull request Mar 8, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

4d6df93

…ports (openshift#75256)

SeanZhao-redhat pushed a commit to SeanZhao-redhat/openshift-release that referenced this pull request Mar 9, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

18d888d

…ports (openshift#75256)

kasturinarra pushed a commit to kasturinarra/release that referenced this pull request Mar 11, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

2584e53

…ports (openshift#75256)

tareqalayan pushed a commit to tareqalayan/release that referenced this pull request Mar 13, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

d2419d3

…ports (openshift#75256)

qiliRedHat pushed a commit to qiliRedHat/release that referenced this pull request Mar 13, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

dfd6b4e

…ports (openshift#75256)

MayXuQQ pushed a commit to MayXuQQ/release that referenced this pull request Mar 17, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

67a280a

…ports (openshift#75256)

kasturinarra pushed a commit to kasturinarra/release that referenced this pull request Mar 17, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

e344fde

…ports (openshift#75256)

sairameshv pushed a commit to sairameshv/release that referenced this pull request Mar 23, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

7211e26

…ports (openshift#75256)

zhouying7780 pushed a commit to zhouying7780/release that referenced this pull request Mar 25, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

b1dd316

…ports (openshift#75256)

rrasouli pushed a commit to rrasouli/release that referenced this pull request Mar 25, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

dda5588

…ports (openshift#75256)

anpingli pushed a commit to anpingli/release that referenced this pull request Mar 30, 2026

Fix squid proxy by adding hosted cluster API NodePort to allowed_ssl_…

1bb9f03

…ports (openshift#75256)

Conversation

zhfeng commented Feb 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Uh oh!

openshift-ci bot commented Feb 25, 2026

Uh oh!

zhfeng commented Feb 25, 2026

Uh oh!

openshift-ci-robot commented Feb 25, 2026

Uh oh!

zhfeng commented Feb 25, 2026

Uh oh!

openshift-ci-robot commented Feb 25, 2026

Uh oh!

zhfeng commented Feb 26, 2026

Uh oh!

openshift-ci-robot commented Feb 26, 2026

Uh oh!

zhfeng commented Feb 26, 2026

Uh oh!

openshift-ci-robot commented Feb 26, 2026

Uh oh!

zhfeng commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

zhfeng commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

zhfeng commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

zhfeng commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

zhfeng commented Feb 27, 2026

Uh oh!

openshift-ci-robot commented Feb 27, 2026

Uh oh!

heliubj18 commented Feb 28, 2026

Uh oh!

openshift-ci bot commented Feb 28, 2026

Uh oh!

openshift-ci bot commented Feb 28, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

zhfeng commented Feb 25, 2026 •

edited

Loading