WINC-1152, OCPBUGS-24264: [cluster] Keep comma as delimiter in noProxy list #1998
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
Reverts an erroneous sanitization step in WMCO that replaced commas with semicolons in the user's cluster-wide proxy configuration. This was causing Windows to ignore the values set in the noProxy environment variable, incorrectly sending traffic through the proxy. From the Azure PowerShell docs: `NO_PROXY: a comma-separated list of hostnames that should be excluded from proxying.` `noProxy list should not contain semicolon delimiters (;). Use (,) to delimit the noProxy domains.`
saifshaikh48
force-pushed
the
commas-in-noproxy
branch
from
4679c38
to
9ac4b07
Compare
|
/test vsphere-proxy-e2e-operator |
|
/test vsphere-proxy-e2e-operator |
There was a problem hiding this comment.
@saifshaikh48 thanks for working on this. PTAL at my comments.
| // on Windows, hostname lists are separated by semicolons rather than the Linux default of commas | ||
| sanitizedVal := strings.ReplaceAll(value, ",", ";") | ||
| clusterWideProxyVars[envVar] = sanitizedVal | ||
| clusterWideProxyVars[envVar] = value |
There was a problem hiding this comment.
Not sure about unquestioningly trusting the content of value. Does this mertis a check/validation here?
There was a problem hiding this comment.
What do you think about trimming spaces? How does Windows react to localhost, 127.0.0.2?
There was a problem hiding this comment.
Managing entities (CVO and/or OLM) do basic validations around this to ensure the URLs/domains are well-formed. No further checks needed from our side
There was a problem hiding this comment.
I was thinking more about the token separator, i.e. ; or ,
| existingEnvVars: map[string]string{"NO_PROXY": "localhost;127.0.0.1", "HTTP_PROXY": "http://example.com"}, | ||
| configMapEnvVars: map[string]string{"NO_PROXY": "localhost;127.0.0.1"}, | ||
| existingEnvVars: map[string]string{"NO_PROXY": "localhost,127.0.0.1", "HTTP_PROXY": "http://example.com"}, | ||
| configMapEnvVars: map[string]string{"NO_PROXY": "localhost,127.0.0.1"}, |
There was a problem hiding this comment.
If a check is introduced, consider adding a test with an invalid value. e.g localhost;27.0.0.2
There was a problem hiding this comment.
semicolon-separated value is still valid from WICD unit test/Windows OS perspective. The WMCO e2e integration tests would fail/signal to handle this
| @@ -366,9 +366,7 @@ func GetProxyVars() map[string]string { | |||
| for _, envVar := range WatchedEnvironmentVars { | |||
There was a problem hiding this comment.
clusterWideProxyVars = make(map[string]string, 3)
It might be out of scope, but consider avoiding the magic constant (3) with:
clusterWideProxyVars = make(map[string]string, len(WatchedEnvironmentVars))
|
I was wondering why I thought semicolons were used in PS. Turns out the manual testing we did was using netsh, one of the only tools (along with Microsoft Edge CLI) that uses a bypass-list
|
|
/lgtm |
openshift-ci
bot
added
lgtm
saifshaikh48
force-pushed
the
commas-in-noproxy
branch
from
d55ed02
to
8d4ac6e
Compare
|
/test vsphere-proxy-e2e-operator |
test/e2e/proxy_test.go
Outdated
| if err != nil { | ||
| require.NoError(t, err) | ||
| } |
There was a problem hiding this comment.
there should be no if statement
just require.NoError
test/e2e/proxy_test.go
Outdated
| command := "$response = $(Invoke-WebRequest -UseBasicParsing https://raw.githubusercontent.com/openshift/windows-machine-config-operator/master/README.md); $response.Headers['Via']" | ||
| out, err := tc.runPowerShellSSHJob("get-webrequest-via-header", command, addr) | ||
| require.NoErrorf(t, err, "unable to retrieve response 'Via' header") | ||
|
|
||
| viaHeader := strings.TrimSpace(out) |
There was a problem hiding this comment.
Please make a helper function for this.
such as func (tc *testContext) getOutboundProxy or getOutboundHTTPViaHeaders
A documented helper will help with code readability.
There was a problem hiding this comment.
An example of the returned string would be good here.
There was a problem hiding this comment.
it also stops the duplicated code thats occuring in the noproxy test
There was a problem hiding this comment.
100%, will remove the code duplication in the final draft
test/e2e/proxy_test.go
Outdated
| assert.Truef(t, viaHeader == clusterProxy.Status.HTTPProxy || viaHeader == clusterProxy.Status.HTTPSProxy, | ||
| "expected response header 'Via' to be either '%s' or '%s' but instead held value: '%s'", | ||
| clusterProxy.Status.HTTPProxy, clusterProxy.Status.HTTPSProxy, viaHeader) | ||
| }) |
There was a problem hiding this comment.
Can there be multiple via headers?
Seems that way looking at MDN docs.
How is that being handled?
There was a problem hiding this comment.
Good catch. I'll change this to search for a via reader whose value is the cluster-wide proxy
along the lines of
$response.Headers["Via"] == clusterProxy.Status.HTTPProxy || $response.Headers["Via"] == clusterProxy.Status.HTTPSProxy
test/e2e/proxy_test.go
Outdated
| // TODO: circumvent the proxy if the target address is specified in the NO_PROXY list | ||
| func (tc *testContext) testNoProxyRequest(t *testing.T) { | ||
| clusterProxy, err := tc.client.Config.ConfigV1().Proxies().Get(context.TODO(), "cluster", meta.GetOptions{}) | ||
| if err != nil { |
test/e2e/proxy_test.go
Outdated
| addr, err := controllers.GetAddress(node.Status.Addresses) | ||
| require.NoError(t, err, "unable to get node address") | ||
|
|
||
| command := "$response = $(Invoke-WebRequest -UseBasicParsing https://raw.githubusercontent.com/openshift/windows-machine-config-operator/master/README.md); $response.Headers['Via']" |
There was a problem hiding this comment.
remind me, is this only for external connections?
can we launch a service and query that via DNS so we arent relying on google and github?
There was a problem hiding this comment.
I had thought of that initially but, yes external requests only
saifshaikh48
force-pushed
the
commas-in-noproxy
branch
2 times, most recently
from
c443b9e
to
352653a
Compare
test/e2e/proxy_test.go
Outdated
| @@ -39,6 +39,9 @@ const ( | |||
| // userCABundleName is the name of the ConfigMap that holds additional user-provided proxy certs | |||
| userCABundleName = "user-ca-bundle" | |||
| userCABundleNamespace = "openshift-config" | |||
|
|
|||
| // whitelist is a list of domains that are not to be proxied | |||
| whitelist = "static.redhat.com,redhat.io,google.com" | |||
test/e2e/proxy_test.go
Outdated
| @@ -39,6 +39,9 @@ const ( | |||
| // userCABundleName is the name of the ConfigMap that holds additional user-provided proxy certs | |||
| userCABundleName = "user-ca-bundle" | |||
| userCABundleNamespace = "openshift-config" | |||
|
|
|||
| // whitelist is a list of domains that are not to be proxied | |||
There was a problem hiding this comment.
noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for
which the proxy should not be used.
As per oc explain proxies.spec.noProxy.
test/e2e/proxy_test.go
Outdated
| @@ -351,6 +405,21 @@ func (tc *testContext) getEnvVar(addr, name, command string) (map[string]string, | |||
| return parseWindowsEnvVars(out), nil | |||
| } | |||
|
|
|||
| // configureNoProxy configures the cluster-wide proxy's bypass list with specific URLs for testing purposes | |||
| func (tc *testContext) configureNoProxy() error { | |||
There was a problem hiding this comment.
Consider passing the no proxy list as a parameter of the function.
| if err != nil { | ||
| return fmt.Errorf("unable to patch %s: %w", string(patchData), err) | ||
| } | ||
| return nil |
There was a problem hiding this comment.
Consider returning just err instead.
There was a problem hiding this comment.
prefer more context here IMO. Having the patchData in the error makes it much easier to debug if something goes wrong
|
/test vsphere-proxy-e2e-operator |
1 similar comment
|
/test vsphere-proxy-e2e-operator |
There was a problem hiding this comment.
Thanks for working on this @saifshaikh48 . This looks much clear and concise.
test/e2e/proxy_test.go
Outdated
| }) | ||
|
|
||
| t.Run("NO_PROXY request", func(t *testing.T) { | ||
| whitelistedUrl := "google.com" |
There was a problem hiding this comment.
how about permitted/nonproxied URL
saifshaikh48
force-pushed
the
commas-in-noproxy
branch
2 times, most recently
from
236d1d3
to
615e880
Compare
saifshaikh48
changed the title
openshift-ci-robot
added
jira/severity-moderate
|
@saifshaikh48: This pull request references Jira Issue OCPBUGS-19997, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
/test vsphere-proxy-e2e-operator |
| } | ||
|
|
||
| // verifyCurlOutput parses the output of a curl request searching for any proxy variables in use and proxy headers | ||
| func verifyCurlOutput(output, httpProxyURL, noProxyList string) (bool, bool, bool) { |
There was a problem hiding this comment.
should this be named noProxyList, or noProxyURL?
if a comma separated list is passed in would that work?
There was a problem hiding this comment.
A list works (that’s what the test does now) and a single URL would also work (if the noProxy value in the cluster wide proxy was just a single URL)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saifshaikh48, sebsoto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/cherry-pick release-4.15 |
|
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.14 |
|
@saifshaikh48: once the present PR merges, I will cherry-pick it on top of release-4.14 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest-required Not sure why none of the e2e tests are kicking off automatically. |
|
/test aws-e2e-operator |
|
/test aws-e2e-upgrade |
|
@saifshaikh48: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@saifshaikh48: Jira Issue OCPBUGS-24264: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-24264 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@saifshaikh48: new pull request created: #2015 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@saifshaikh48: new pull request created: #2016 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retitle WINC-1152, OCPBUGS-24264: [cluster] Keep comma as delimiter in noProxy list |
openshift-ci
bot
changed the title
|
/jira refresh |
|
@jrvaldes: Jira Issue OCPBUGS-24264 is in an unrecognized state (Verified) and will not be moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Reverts an erroneous sanitization step in WMCO that replaced commas with semicolons in the user's cluster-wide proxy configuration. This was causing Windows to ignore the values set in the noProxy environment variable, incorrectly sending traffic through the proxy.
From the Azure PowerShell docs:
NO_PROXY: a comma-separated list of hostnames that should be excluded from proxying.[1]noProxy list should not contain semicolon delimiters (;). Use (,) to delimit the noProxy domains.[2]