Check that when proxy is set, all http/https requests are going through the proxy

crc-org / crc

CRC is a tool to help you run containers. It manages a local OpenShift 4.x cluster, Microshift or a Podman VM optimized for testing and development purposes

https://crc.dev

Apache License 2.0

1.26k stars 242 forks source link

Check that when proxy is set, all http/https requests are going through the proxy #889

Open cfergeau opened 4 years ago

cfergeau commented 4 years ago

Start tcpdump host 192.168.130.11 on the host as root

Setup proxy for crc (I did it through env vars)

Run crc start

I'd expect the proxy to be the only destination for http/https requests. At the moment tcpdump is showing direct requests to aws, akamai (without going through the proxy). When I deploy a nodejs app following odo tutorial https://docs.openshift.com/container-platform/4.2/cli_reference/openshift_developer_cli/creating-a-single-component-application-with-odo.html I've also seen direct requests to cloudfare.

There are at least 3 possible explanations:

my testing is flawed
crc missed some steps configuring proxy support
some openshift components do not support proxy yet

It would be useful to figure out what's happening :)

cfergeau commented 4 years ago

https://github.com/code-ready/crc/issues/898 is one possible source for these extra requests. Some operators rely on the cluster-version-operator to propagate the proxy settings, which is disabled in the crc case.

cfergeau commented 4 years ago

I did more investigations around this using tcpconnect from bcc-tools

the ingress and image-registry operators need the proxy settings to be set by crc as they use the inject-proxy annotation (PR coming)
filed https://bugzilla.redhat.com/show_bug.cgi?id=1805168 for openshift-controller-manager not making use of the proxy
when creating a new app, if only http_proxy is set (and not https_proxy), then git requests do not go through the proxy

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

cfergeau commented 4 years ago

The last known issue has been fixed but is not backported to 4.4 yet. One thing to note is that one must set both http-proxy and https-proxy, otherwise the cluster-version-operator, and some git helpers won't make use of the proxy in some cases.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

praveenkumar commented 4 years ago

@cfergeau since we are now moved with 4.5 which already have fix for those operators, can we close this now or we should add have the integration test for the same?

cfergeau commented 4 years ago

I'd do 2 things

manually check that everything is indeed fixed (I'll try to do that later this week) as it was not yet last time I tried
in the integration tests, we need to make sure at least some of the requests go through the proxy (either by blocking totally non-proxy external access, or by grepping the proxy server's log, or some other way). Ideally we'd also make sure that no requests are not avoiding the proxy, but this might be a bit too complex.