LOG-8068: Vector can't access log stores outside the cluster when restrict network policy is enabled and the cluster has cluster-wide proxy.

Clee2691 · Clee2691 · commit dbfb668abc03 · 2025-11-03T12:20:21.000-05:00
diff --git a/internal/network/network_policy.go b/internal/network/network_policy.go
@@ -23,14 +23,26 @@ func ReconcileClusterLogForwarderNetworkPolicy(k8Client client.Client, namespace
 
 	// For RestrictIngressEgress, determine the ports to use based on URLs in outputs and defaults
 	if policyRuleSet == obsv1.NetworkPolicyRuleSetTypeRestrictIngressEgress {
-		// Parse ports with protocols from outputs
-		if len(outputs) > 0 {
-			egressPorts = GetOutputPortsWithProtocols(outputs)
-		}
 		// Parse ports from inputs (receiver inputs use TCP)
 		if len(inputs) > 0 {
 			ingressPorts = GetInputPorts(inputs)
 		}
+
+		// Parse ports for egress from outputs and proxy configuration if any
+		egressPortMap := map[factory.PortProtocol]bool{}
+		// Parse ports with protocols from outputs
+		if len(outputs) > 0 {
+			GetOutputPortsWithProtocols(outputs, egressPortMap)
+
+		}
+		// Add proxy ports if any for cluster-wide proxy configuration
+		GetProxyPorts(egressPortMap)
+
+		// Convert map to slice
+		egressPorts = make([]factory.PortProtocol, 0, len(egressPortMap))
+		for pp := range egressPortMap {
+			egressPorts = append(egressPorts, pp)
+		}
 	}
 
 	desired := factory.NewNetworkPolicyWithProtocolPorts(namespace, policyName, instanceName, component, string(policyRuleSet), egressPorts, ingressPorts, visitor)
diff --git a/internal/network/ports.go b/internal/network/ports.go
@@ -7,15 +7,15 @@ import (
 
 	obs "github.com/openshift/cluster-logging-operator/api/observability/v1"
 	"github.com/openshift/cluster-logging-operator/internal/factory"
+	"github.com/openshift/cluster-logging-operator/internal/utils"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/utils/set"
 )
 
 // GetOutputPortsWithProtocols extracts all unique ports with their protocols from the given outputs.
 // It parses URLs to extract ports and protocols, or uses default values based on the output type.
-func GetOutputPortsWithProtocols(outputs []obs.OutputSpec) []factory.PortProtocol {
-	portProtocolMap := map[factory.PortProtocol]bool{}
-
+func GetOutputPortsWithProtocols(outputs []obs.OutputSpec, portProtocolMap map[factory.PortProtocol]bool) {
 	for _, output := range outputs {
 		portProtocols := getPortProtocolFromOutputURL(output)
 		for _, pp := range portProtocols {
@@ -24,13 +24,6 @@ func GetOutputPortsWithProtocols(outputs []obs.OutputSpec) []factory.PortProtoco
 			}
 		}
 	}
-
-	result := make([]factory.PortProtocol, 0, len(portProtocolMap))
-	for pp := range portProtocolMap {
-		result = append(result, pp)
-	}
-
-	return result
 }
 
 // GetInputPorts extracts all unique ports from the given input receiver specs.
@@ -200,3 +193,37 @@ func getDefaultPort(outputType obs.OutputType, urlStr string) int32 {
 	}
 	panic(fmt.Sprintf("unknown output type: %s", outputType))
 }
+
+// GetProxyPorts extracts unique ports from cluster-wide proxy environment variables.
+// It parses HTTP_PROXY and HTTPS_PROXY URLs to determine explicit proxy ports,
+// or adds default ports (80 for HTTP, 443 for HTTPS) when no port is specified.
+func GetProxyPorts(portProtocolMap map[factory.PortProtocol]bool) {
+	proxyEnvNames := sets.NewString("http_proxy", "https_proxy", "HTTP_PROXY", "HTTPS_PROXY")
+
+	// Get proxy environment variables and parse them for additional explicit ports
+	proxyEnvVars := utils.GetProxyEnvVars()
+
+	for _, envVar := range proxyEnvVars {
+		// Process proxy environment variables
+		if proxyEnvNames.Has(envVar.Name) {
+			if port := parsePortProtocolFromURL(envVar.Value); port != nil {
+				// Add explicitly configured port from proxy URL
+				portProtocolMap[*port] = true
+			} else if envVar.Value != "" {
+				// If no explicit port, add default port based on scheme
+				if parsedURL, err := url.Parse(envVar.Value); err == nil {
+					var defaultPort int32
+					switch parsedURL.Scheme {
+					case "http":
+						defaultPort = 80
+					case "https":
+						defaultPort = 443
+					}
+					if defaultPort > 0 {
+						portProtocolMap[factory.PortProtocol{Port: defaultPort, Protocol: corev1.ProtocolTCP}] = true
+					}
+				}
+			}
+		}
+	}
+}
diff --git a/internal/network/ports_test.go b/internal/network/ports_test.go
@@ -1,6 +1,8 @@
 package network
 
 import (
+	"os"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
@@ -323,12 +325,13 @@ var _ = Describe("Network Ports", func() {
 						},
 					},
 				}
-				ports := GetOutputPortsWithProtocols(outputs)
-				Expect(ports).To(ConsistOf(
-					factory.PortProtocol{Port: 9200, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 8088, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 3100, Protocol: corev1.ProtocolTCP},
-				))
+				portMap := map[factory.PortProtocol]bool{}
+				GetOutputPortsWithProtocols(outputs, portMap)
+				Expect(portMap).To(Equal(map[factory.PortProtocol]bool{
+					{Port: 9200, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 8088, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 3100, Protocol: corev1.ProtocolTCP}: true,
+				}))
 			})
 
 			It("should deduplicate ports from multiple outputs", func() {
@@ -352,11 +355,12 @@ var _ = Describe("Network Ports", func() {
 						},
 					},
 				}
-				ports := GetOutputPortsWithProtocols(outputs)
-				Expect(ports).To(ConsistOf(
-					factory.PortProtocol{Port: 9200, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 8088, Protocol: corev1.ProtocolTCP},
-				))
+				portMap := map[factory.PortProtocol]bool{}
+				GetOutputPortsWithProtocols(outputs, portMap)
+				Expect(portMap).To(Equal(map[factory.PortProtocol]bool{
+					{Port: 9200, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 8088, Protocol: corev1.ProtocolTCP}: true,
+				}))
 			})
 
 			It("should handle outputs with default ports", func() {
@@ -374,11 +378,12 @@ var _ = Describe("Network Ports", func() {
 						},
 					},
 				}
-				ports := GetOutputPortsWithProtocols(outputs)
-				Expect(ports).To(ConsistOf(
-					factory.PortProtocol{Port: 9200, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 80, Protocol: corev1.ProtocolTCP},
-				))
+				portMap := map[factory.PortProtocol]bool{}
+				GetOutputPortsWithProtocols(outputs, portMap)
+				Expect(portMap).To(Equal(map[factory.PortProtocol]bool{
+					{Port: 9200, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 80, Protocol: corev1.ProtocolTCP}:   true,
+				}))
 			})
 
 			It("should handle complex Kafka output with multiple brokers", func() {
@@ -401,12 +406,13 @@ var _ = Describe("Network Ports", func() {
 						},
 					},
 				}
-				ports := GetOutputPortsWithProtocols(outputs)
-				Expect(ports).To(ConsistOf(
-					factory.PortProtocol{Port: 9092, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 9093, Protocol: corev1.ProtocolTCP},
-					factory.PortProtocol{Port: 9200, Protocol: corev1.ProtocolTCP},
-				))
+				portMap := map[factory.PortProtocol]bool{}
+				GetOutputPortsWithProtocols(outputs, portMap)
+				Expect(portMap).To(Equal(map[factory.PortProtocol]bool{
+					{Port: 9092, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 9093, Protocol: corev1.ProtocolTCP}: true,
+					{Port: 9200, Protocol: corev1.ProtocolTCP}: true,
+				}))
 			})
 		})
 	})
@@ -557,4 +563,163 @@ var _ = Describe("Network Ports", func() {
 			})
 		})
 	})
+
+	Describe("GetProxyPorts", func() {
+		var originalEnvVars map[string]string
+
+		BeforeEach(func() {
+			// Save original environment variables
+			originalEnvVars = make(map[string]string)
+			for _, envVar := range []string{"HTTP_PROXY", "HTTPS_PROXY", "http_proxy", "https_proxy", "NO_PROXY", "no_proxy"} {
+				originalEnvVars[envVar] = os.Getenv(envVar)
+				os.Unsetenv(envVar) // Clear all proxy env vars for clean test state
+			}
+		})
+
+		AfterEach(func() {
+			// Restore original environment variables
+			for envVar, value := range originalEnvVars {
+				if value != "" {
+					os.Setenv(envVar, value)
+				} else {
+					os.Unsetenv(envVar)
+				}
+			}
+		})
+
+		DescribeTable("when proxy environment variables are set",
+			func(envVars map[string]string, expectedPorts []factory.PortProtocol) {
+				for key, value := range envVars {
+					os.Setenv(key, value)
+				}
+
+				portMap := map[factory.PortProtocol]bool{}
+				GetProxyPorts(portMap)
+				ports := make([]factory.PortProtocol, 0, len(portMap))
+				for pp := range portMap {
+					ports = append(ports, pp)
+				}
+				if len(expectedPorts) == 0 {
+					Expect(ports).To(BeEmpty())
+				} else {
+					Expect(ports).To(ConsistOf(expectedPorts))
+				}
+			},
+			Entry("should extract ports from HTTP proxy URLs with explicit ports",
+				map[string]string{
+					"http_proxy":  "http://proxy.example.com:8080",
+					"https_proxy": "https://proxy.example.com:8443",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+					{Port: 8443, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should use default ports when proxy URLs don't specify ports",
+				map[string]string{
+					"http_proxy":  "http://proxy.example.com",
+					"https_proxy": "https://proxy.example.com",
+				},
+				[]factory.PortProtocol{
+					{Port: 80, Protocol: corev1.ProtocolTCP},
+					{Port: 443, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should return empty when proxy URLs have unknown schemes without ports",
+				map[string]string{
+					"http_proxy": "proxy://proxy.example.com",
+				},
+				[]factory.PortProtocol{},
+			),
+			Entry("should deduplicate identical proxy ports",
+				map[string]string{
+					"http_proxy":  "http://proxy.example.com:8080",
+					"https_proxy": "https://proxy.example.com:8080",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle malformed proxy URLs gracefully",
+				map[string]string{
+					"http_proxy":  "not-a-valid-url",
+					"https_proxy": "http://proxy.example.com:8080",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle uppercase proxy environment variables",
+				map[string]string{
+					"HTTP_PROXY":  "http://proxy.example.com:3128",
+					"HTTPS_PROXY": "https://proxy.example.com:3129",
+				},
+				[]factory.PortProtocol{
+					{Port: 3128, Protocol: corev1.ProtocolTCP},
+					{Port: 3129, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should extract explicitly specified standard ports from proxy URLs",
+				map[string]string{
+					"http_proxy":  "http://proxy.example.com:80",
+					"https_proxy": "https://proxy.example.com:443",
+				},
+				[]factory.PortProtocol{
+					{Port: 80, Protocol: corev1.ProtocolTCP},
+					{Port: 443, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should extract explicit ports when both proxy and no-proxy environment variables are set",
+				map[string]string{
+					"http_proxy":  "http://proxy.example.com:8080",
+					"https_proxy": "https://proxy.example.com:8080",
+					"no_proxy":    "localhost,127.0.0.1",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle proxy URLs with authentication",
+				map[string]string{
+					"http_proxy": "http://user:password@proxy.example.com:8080",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle IPv6 proxy URLs",
+				map[string]string{
+					"http_proxy": "http://[::1]:8080",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle empty string proxy URLs gracefully",
+				map[string]string{
+					"http_proxy":  "",
+					"https_proxy": "https://proxy.example.com:8443",
+				},
+				[]factory.PortProtocol{
+					{Port: 8443, Protocol: corev1.ProtocolTCP},
+				},
+			),
+			Entry("should handle mix of uppercase and lowercase proxy environment variables",
+				map[string]string{
+					"HTTP_PROXY":  "http://proxy.example.com:8080",
+					"https_proxy": "https://proxy.example.com:8443",
+				},
+				[]factory.PortProtocol{
+					{Port: 8080, Protocol: corev1.ProtocolTCP},
+					{Port: 8443, Protocol: corev1.ProtocolTCP},
+				},
+			),
+		)
+
+		It("should be empty portMap when no proxy environment variables are set", func() {
+			portMap := map[factory.PortProtocol]bool{}
+			GetProxyPorts(portMap)
+			Expect(portMap).To(BeEmpty())
+		})
+	})
 })
