inject proxy env vars into requesting workload resources#224
inject proxy env vars into requesting workload resources#224openshift-merge-robot merged 1 commit intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
@ironcladlou @bparees fyi |
openshift-ci-robot
added
the
size/M
|
@bparees: GitHub didn't allow me to request PR reviews from the following users: danehans. Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
also /cc @adambkaplan @dmage @cdaley as this would be relevant to the registry operator if it were implemented, since it is currently managing its own proxy env config (inconveniently). |
|
|
||
| // if proxy injection is requested, get the proxy values and use them | ||
| // TODO You'll want a mutation helper that takes a pointer to a pod spec so you can wire it to other workload resources | ||
| if containerNamesString := deployment.Annotations["config.openshift.io/inject-proxy"]; len(containerNamesString) > 0 { |
There was a problem hiding this comment.
Which operators would use this? The ones that need all of their traffic to go through the proxy, including service network (I assume status.noProxy must ALWAYS contain service network or you cause an outage?)
There was a problem hiding this comment.
auth operator for example....
the noProxy will be provided by network operator which should set these (I asked him same question during arch call ;-)
There was a problem hiding this comment.
The image registry operator may use this. We already have similar logic inside of our reconciliation loop. The expectation is that noProxy covers the API server. And our operator needs to interact with external services like S3.
There was a problem hiding this comment.
the noProxy will be provided by network operator which should set these
That's correct. I plan to enforce the default noProxy values as part of openshift/cluster-network-operator#245
There was a problem hiding this comment.
@danehans the registry operator communicates to cloud apis even when the cluster is not running on that particular cloud.
There was a problem hiding this comment.
@danehans I don't know if that is desirable, particularly if a customer wants their baremetal cluster to have all outbound traffic go through their proxy (and yet still use s3 or other cloud provider storage as their backend).
There was a problem hiding this comment.
@bparees the registry operator is then responsible for augmenting the cluster-wide noProxy with additional no proxy values, correct?
? My point is that the registry operator has a need to use the proxy configuration when it is talking to the cloudapis that exist outside the cloudprovider the cluster is running on. NoProxy is irrelevant.
@dmage was observing that the registry operator has a use for this proxy env injection. You said they didn't need it because they are talking to cloud apis, but that is incorrect. They are talking to cloudapis, but not cloudapis from the cluster's cloud provider, therefore they will need to go through the proxy (assuming the customer's network topology requires it, which would be our assumption since it's external traffic like any other).
If the customer does not want their AWS api calls going through the proxy (and assuming their network topology doesn't require it), the admin would have to add the AWS api endpoints to their NoProxy value.
There was a problem hiding this comment.
I don't know if that is desirable, particularly if a customer wants their baremetal cluster to have all outbound traffic go through their proxy (and yet still use s3 or other cloud provider storage as their backend).
@adambkaplan the cloud metadata ip will not be set for vsphere, baremetal and non platform types.
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
@abhinavdahiya have you looked at this PR yet? |
openshift-ci-robot
added
size/L
deads2k
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
We've agreed to go this route. /hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
How do we handle a case where an operator wants to remove the envs from it's containers as part of the update?? |
|
|
||
| "k8s.io/klog" | ||
|
|
||
| v1 "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1" |
It's hard to imagine where that's useful. We can build a special value into the annotation if it comes up. |
set .metadata.annotations["config.openshift.io/inject-proxy"]="container1,initcontainer2" to inject into specified container names
sure. I think this get's other operators unblocked for time being. i'll take a todo to add some docs and any fixes needed for 4.1 to 4.2 upgrade. Thanks! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
10 participants
set .metadata.annotations["config.openshift.io/inject-proxy"]="container1,initcontainer2"
to inject into specified container names