LOG-8068: Vector can't access log stores outside the cluster with cluster-wide proxy and RestrictIngressEgress #3147
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@Clee2691: This pull request references LOG-8068 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.8.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
internal/network/ports.go
Outdated
| for _, envVar := range proxyEnvVars { | ||
| // Process proxy environment variables | ||
| if proxyEnvNames.Has(envVar.Name) { | ||
| if port := parsePortProtocolFromURL(envVar.Value); port != nil { |
There was a problem hiding this comment.
corrected:
In the case where the parseUrl fails, it will end up running url.Parse() twice .
maybe the line above could be changed to something like:
if (envVar.Name == "http_proxy" || envVar.Name == "https_proxy") && envVar.Value != "" {
in that case you wouldn't need to create the set and the extra nested if. lmk if you want to chat.
There was a problem hiding this comment.
I have a set here so that I can handle the different cases for the environment variable names.
I have consolidated this however so that url.Parse is not called twice.
There was a problem hiding this comment.
I'm good with this as is, since it works. But there are still a few steps that are unnecessary. GetProxyEnvVars() returns strings.ToLower(envvar) so you've already evaluated both cases.
Additionally, there are several different if statements nested inside a loop, which is always best to avoid if possible.
There was a problem hiding this comment.
That makes sense. I was able to reduce the nesting of the if statements along with removing the set since the names are lowered already.
internal/network/ports.go
Outdated
| } else if envVar.Value != "" { | ||
| // If no explicit port, add default port based on scheme | ||
| if parsedURL, err := url.Parse(envVar.Value); err == nil { | ||
| var defaultPort int32 |
There was a problem hiding this comment.
I would have thought you can use getDefaultPort() here?
There was a problem hiding this comment.
otherwise, I would create a quick helper below this: getProxyDefaultPort(scheme) to help clean up the many nested possibilities.
you could return a boolean so you don't have to run the final if > 0. To use the helper, my suggestion would be to simplify the final check:
defaultPort, ok := getProxyDefaultPort(parsedURL.Scheme); ok { portProtocolMap[....] = true }
There was a problem hiding this comment.
getDefaultPort() is for the outputs which I guess a better name would have been getOutputDefaultPort().
Good suggestion. I will add in the helper.
internal/network/ports_test.go
Outdated
| BeforeEach(func() { | ||
| // Save original environment variables | ||
| originalEnvVars = make(map[string]string) | ||
| for _, envVar := range []string{"HTTP_PROXY", "HTTPS_PROXY", "http_proxy", "https_proxy", "NO_PROXY", "no_proxy"} { |
There was a problem hiding this comment.
I would use util.GetProxyEnvVars() here.
There was a problem hiding this comment.
This won't work because if there are no proxy environment variables, originalEnvVars won't be populated and the unsetting/setting of the environment variables will not work properly.
There was a problem hiding this comment.
Okay. For future, we should probably use a constant if possible, since we are evaluating the same slice in a couple places.
There was a problem hiding this comment.
Added in a constant for this and updated the code accordingly.
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Clee2691, jcantrill The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
internal/network/ports_test.go
Outdated
| } | ||
| }, | ||
| Entry("should extract ports from HTTP proxy URLs with explicit ports", | ||
| map[string]string{ |
There was a problem hiding this comment.
If you are making changes, since we need so many iterations/entries, I have a suggestion for cleaning up by using a couple helper functions:
Something like this:
setProxies("http://proxy.example.com:8080", "https://proxy.example.com:8443"),
and for the protocol:
expectedProxyPorts(8080, 8443), (all are TCP, so this can be removed?)
func setProxies(httpProxy string, httpsProxy string) map[string]string {}
func expectedProxyPorts(ports ...int32) []factory.PortProtocol {}
There was a problem hiding this comment.
untested:
expectd := make([]factory.PortProtocol, 0, len(ports))
for _, port := range ports {
expected = append(expected, factory.PortProtocol{
Port: port,
Protocol: corev1.ProtocolTCP,
})
}
return expected
There was a problem hiding this comment.
Good suggestions. Added into the tests.
…trict network policy is enabled and the cluster has cluster-wide proxy.
|
/lgtm |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@Clee2691: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
4 participants
Description
This PR fixes an issue where Vector collectors cannot access log stores outside the cluster when both restrictive network policies are enabled and the cluster has a cluster-wide proxy configured.
CLO will attempt to parse the port from the proxy URLS based on the proxy variables:
HTTP_PROXYHTTPS_PROXYIf the port is not specified for the proxy URL, it will add the default ports for the specific schema
HTTP:80HTTPS:443/cc @cahartma @vparfonov
/assign @jcantrill
Links