-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WINC-1152, OCPBUGS-24264: [cluster] Keep comma as delimiter in noProxy list #1998
WINC-1152, OCPBUGS-24264: [cluster] Keep comma as delimiter in noProxy list #1998
Conversation
Skipping CI for Draft Pull Request. |
Reverts an erroneous sanitization step in WMCO that replaced commas with semicolons in the user's cluster-wide proxy configuration. This was causing Windows to ignore the values set in the noProxy environment variable, incorrectly sending traffic through the proxy. From the Azure PowerShell docs: `NO_PROXY: a comma-separated list of hostnames that should be excluded from proxying.` `noProxy list should not contain semicolon delimiters (;). Use (,) to delimit the noProxy domains.`
4679c38
to
9ac4b07
Compare
/test vsphere-proxy-e2e-operator |
/test vsphere-proxy-e2e-operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@saifshaikh48 thanks for working on this. PTAL at my comments.
// on Windows, hostname lists are separated by semicolons rather than the Linux default of commas | ||
sanitizedVal := strings.ReplaceAll(value, ",", ";") | ||
clusterWideProxyVars[envVar] = sanitizedVal | ||
clusterWideProxyVars[envVar] = value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about unquestioningly trusting the content of value
. Does this mertis a check/validation here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about trimming spaces? How does Windows react to localhost, 127.0.0.2
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Managing entities (CVO and/or OLM) do basic validations around this to ensure the URLs/domains are well-formed. No further checks needed from our side
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking more about the token separator, i.e. ;
or ,
existingEnvVars: map[string]string{"NO_PROXY": "localhost;127.0.0.1", "HTTP_PROXY": "http://example.com"}, | ||
configMapEnvVars: map[string]string{"NO_PROXY": "localhost;127.0.0.1"}, | ||
existingEnvVars: map[string]string{"NO_PROXY": "localhost,127.0.0.1", "HTTP_PROXY": "http://example.com"}, | ||
configMapEnvVars: map[string]string{"NO_PROXY": "localhost,127.0.0.1"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a check is introduced, consider adding a test with an invalid value. e.g localhost;27.0.0.2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semicolon-separated value is still valid from WICD unit test/Windows OS perspective. The WMCO e2e integration tests would fail/signal to handle this
@@ -366,9 +366,7 @@ func GetProxyVars() map[string]string { | |||
for _, envVar := range WatchedEnvironmentVars { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
clusterWideProxyVars = make(map[string]string, 3)
It might be out of scope, but consider avoiding the magic constant (3
) with:
clusterWideProxyVars = make(map[string]string, len(WatchedEnvironmentVars))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice find
I was wondering why I thought semicolons were used in PS. Turns out the manual testing we did was using netsh, one of the only tools (along with Microsoft Edge CLI) that uses a bypass-list
|
/lgtm |
d55ed02
to
8d4ac6e
Compare
/test vsphere-proxy-e2e-operator |
test/e2e/proxy_test.go
Outdated
if err != nil { | ||
require.NoError(t, err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there should be no if statement
just require.NoError
test/e2e/proxy_test.go
Outdated
command := "$response = $(Invoke-WebRequest -UseBasicParsing https://raw.githubusercontent.com/openshift/windows-machine-config-operator/master/README.md); $response.Headers['Via']" | ||
out, err := tc.runPowerShellSSHJob("get-webrequest-via-header", command, addr) | ||
require.NoErrorf(t, err, "unable to retrieve response 'Via' header") | ||
|
||
viaHeader := strings.TrimSpace(out) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make a helper function for this.
such as func (tc *testContext) getOutboundProxy
or getOutboundHTTPViaHeaders
A documented helper will help with code readability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An example of the returned string would be good here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it also stops the duplicated code thats occuring in the noproxy test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
100%, will remove the code duplication in the final draft
test/e2e/proxy_test.go
Outdated
assert.Truef(t, viaHeader == clusterProxy.Status.HTTPProxy || viaHeader == clusterProxy.Status.HTTPSProxy, | ||
"expected response header 'Via' to be either '%s' or '%s' but instead held value: '%s'", | ||
clusterProxy.Status.HTTPProxy, clusterProxy.Status.HTTPSProxy, viaHeader) | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can there be multiple via headers?
Seems that way looking at MDN docs.
How is that being handled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. I'll change this to search for a via reader whose value is the cluster-wide proxy
along the lines of
$response.Headers["Via"] == clusterProxy.Status.HTTPProxy || $response.Headers["Via"] == clusterProxy.Status.HTTPSProxy
test/e2e/proxy_test.go
Outdated
// TODO: circumvent the proxy if the target address is specified in the NO_PROXY list | ||
func (tc *testContext) testNoProxyRequest(t *testing.T) { | ||
clusterProxy, err := tc.client.Config.ConfigV1().Proxies().Get(context.TODO(), "cluster", meta.GetOptions{}) | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drop the if
test/e2e/proxy_test.go
Outdated
addr, err := controllers.GetAddress(node.Status.Addresses) | ||
require.NoError(t, err, "unable to get node address") | ||
|
||
command := "$response = $(Invoke-WebRequest -UseBasicParsing https://raw.githubusercontent.com/openshift/windows-machine-config-operator/master/README.md); $response.Headers['Via']" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remind me, is this only for external connections?
can we launch a service and query that via DNS so we arent relying on google and github?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had thought of that initially but, yes external requests only
c443b9e
to
352653a
Compare
test/e2e/proxy_test.go
Outdated
@@ -39,6 +39,9 @@ const ( | |||
// userCABundleName is the name of the ConfigMap that holds additional user-provided proxy certs | |||
userCABundleName = "user-ca-bundle" | |||
userCABundleNamespace = "openshift-config" | |||
|
|||
// whitelist is a list of domains that are not to be proxied | |||
whitelist = "static.redhat.com,redhat.io,google.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/whitelist/noProxyList
test/e2e/proxy_test.go
Outdated
@@ -39,6 +39,9 @@ const ( | |||
// userCABundleName is the name of the ConfigMap that holds additional user-provided proxy certs | |||
userCABundleName = "user-ca-bundle" | |||
userCABundleNamespace = "openshift-config" | |||
|
|||
// whitelist is a list of domains that are not to be proxied |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for
which the proxy should not be used.
As per oc explain proxies.spec.noProxy
.
test/e2e/proxy_test.go
Outdated
@@ -351,6 +405,21 @@ func (tc *testContext) getEnvVar(addr, name, command string) (map[string]string, | |||
return parseWindowsEnvVars(out), nil | |||
} | |||
|
|||
// configureNoProxy configures the cluster-wide proxy's bypass list with specific URLs for testing purposes | |||
func (tc *testContext) configureNoProxy() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider passing the no proxy list as a parameter of the function.
if err != nil { | ||
return fmt.Errorf("unable to patch %s: %w", string(patchData), err) | ||
} | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider returning just err
instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prefer more context here IMO. Having the patchData in the error makes it much easier to debug if something goes wrong
/test vsphere-proxy-e2e-operator |
1 similar comment
/test vsphere-proxy-e2e-operator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this @saifshaikh48 . This looks much clear and concise.
test/e2e/proxy_test.go
Outdated
}) | ||
|
||
t.Run("NO_PROXY request", func(t *testing.T) { | ||
whitelistedUrl := "google.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about permitted/nonproxied URL
236d1d3
to
615e880
Compare
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19997, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/lgtm |
/test vsphere-proxy-e2e-operator |
} | ||
|
||
// verifyCurlOutput parses the output of a curl request searching for any proxy variables in use and proxy headers | ||
func verifyCurlOutput(output, httpProxyURL, noProxyList string) (bool, bool, bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be named noProxyList, or noProxyURL?
if a comma separated list is passed in would that work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A list works (that’s what the test does now) and a single URL would also work (if the noProxy value in the cluster wide proxy was just a single URL)
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saifshaikh48, sebsoto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-4.15 |
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.14 |
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required Not sure why none of the e2e tests are kicking off automatically. |
/test aws-e2e-operator |
/test aws-e2e-upgrade |
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@saifshaikh48: Jira Issue OCPBUGS-24264: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-24264 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@saifshaikh48: new pull request created: #2015 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@saifshaikh48: new pull request created: #2016 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle WINC-1152, OCPBUGS-24264: [cluster] Keep comma as delimiter in noProxy list |
/jira refresh |
@jrvaldes: Jira Issue OCPBUGS-24264 is in an unrecognized state (Verified) and will not be moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Reverts an erroneous sanitization step in WMCO that replaced commas with semicolons in the user's cluster-wide proxy configuration. This was causing Windows to ignore the values set in the noProxy environment variable, incorrectly sending traffic through the proxy.
From the Azure PowerShell docs:
NO_PROXY: a comma-separated list of hostnames that should be excluded from proxying.
[1]noProxy list should not contain semicolon delimiters (;). Use (,) to delimit the noProxy domains.
[2]