Merge pull request #5936 from wangke19/backport-pr-5876-to-4.18

OCPBUGS-54411: Backport PR 5876 to release-4.18

Author: openshift-merge-bot[bot]

control-plane-operator/controllers/hostedcontrolplane/oapi/deployment.go

@@ -2,7 +2,6 @@ package oapi
 
 import (
 	"fmt"
-	"net/url"
 	"path"
 	"strings"
 
@@ -138,9 +137,9 @@ func ReconcileDeployment(deployment *appsv1.Deployment,
 		}
 	}
 	deployment.Spec.Template.ObjectMeta.Labels = openShiftAPIServerLabels()
-	etcdUrlData, err := url.Parse(etcdURL)
+	etcdHost, err := util.HostFromURL(etcdURL)
 	if err != nil {
-		return fmt.Errorf("failed to parse etcd url: %w", err)
+		return err
 	}
 	if deployment.Spec.Template.Annotations == nil {
 		deployment.Spec.Template.Annotations = map[string]string{}
@@ -151,7 +150,7 @@ func ReconcileDeployment(deployment *appsv1.Deployment,
 	deployment.Spec.Template.Spec.AutomountServiceAccountToken = ptr.To(false)
 	deployment.Spec.Template.Spec.InitContainers = []corev1.Container{util.BuildContainer(oasTrustAnchorGenerator(), buildOASTrustAnchorGenerator(image))}
 	deployment.Spec.Template.Spec.Containers = []corev1.Container{
-		util.BuildContainer(oasContainerMain(), buildOASContainerMain(image, strings.Split(etcdUrlData.Host, ":")[0], defaultOAPIPort, internalOAuthDisable)),
+		util.BuildContainer(oasContainerMain(), buildOASContainerMain(image, etcdHost, defaultOAPIPort, internalOAuthDisable)),
 		util.BuildContainer(oasKonnectivityProxyContainer(), buildOASKonnectivityProxyContainer(konnectivityHTTPSProxyImage, proxyConfig, noProxy)),
 	}
 	deployment.Spec.Template.Spec.Volumes = []corev1.Volume{

control-plane-operator/controllers/hostedcontrolplane/oapi/deployment_test.go

@@ -236,7 +236,9 @@ func TestReconcileOpenshiftOAuthAPIServerDeployment(t *testing.T) {
 			name:             "Empty deployment config and oauth params",
 			deploymentConfig: config.DeploymentConfig{},
 			auditConfig:      manifests.OpenShiftOAuthAPIServerAuditConfig(targetNamespace),
-			params:           OAuthDeploymentParams{},
+			params: OAuthDeploymentParams{
+				EtcdURL: "https://etcd-client:2379",
+			},
 		},
 	}
 	for _, tc := range testCases {

control-plane-operator/controllers/hostedcontrolplane/oapi/oauth_deployment.go

@@ -3,6 +3,7 @@ package oapi
 import (
 	"fmt"
 	"path"
+	"strings"
 
 	configv1 "github.com/openshift/api/config/v1"
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
@@ -40,6 +41,11 @@ var (
 			oauthVolumeEtcdClientCert().Name:  "/etc/kubernetes/certs/etcd-client",
 			common.VolumeTotalClientCA().Name: "/etc/kubernetes/certs/client-ca",
 		},
+		oauthKonnectivityProxyContainer().Name: {
+			oauthVolumeKubeconfig().Name:            "/etc/kubernetes/secrets/kubeconfig",
+			oauthVolumeKonnectivityProxyCert().Name: "/etc/konnectivity/proxy-client",
+			oauthVolumeKonnectivityProxyCA().Name:   "/etc/konnectivity/proxy-ca",
+		},
 	}
 	oauthAuditWebhookConfigFileVolumeMount = util.PodVolumeMounts{
 		oauthContainerMain().Name: {
@@ -55,9 +61,18 @@ func openShiftOAuthAPIServerLabels() map[string]string {
 	}
 }
 
-func ReconcileOAuthAPIServerDeployment(deployment *appsv1.Deployment, ownerRef config.OwnerRef, auditConfig *corev1.ConfigMap, p *OAuthDeploymentParams, platformType hyperv1.PlatformType) error {
+func ReconcileOAuthAPIServerDeployment(deployment *appsv1.Deployment,
+	ownerRef config.OwnerRef,
+	auditConfig *corev1.ConfigMap,
+	p *OAuthDeploymentParams,
+	platformType hyperv1.PlatformType) error {
 	ownerRef.ApplyTo(deployment)
 
+	etcdHost, err := util.HostFromURL(p.EtcdURL)
+	if err != nil {
+		return err
+	}
+
 	// preserve existing resource requirements for main oauth apiserver container
 	mainContainer := util.FindContainer(oauthContainerMain().Name, deployment.Spec.Template.Spec.Containers)
 	if mainContainer != nil {
@@ -95,7 +110,8 @@ func ReconcileOAuthAPIServerDeployment(deployment *appsv1.Deployment, ownerRef c
 		AutomountServiceAccountToken:  ptr.To(false),
 		TerminationGracePeriodSeconds: ptr.To[int64](120),
 		Containers: []corev1.Container{
-			util.BuildContainer(oauthContainerMain(), buildOAuthContainerMain(p)),
+			util.BuildContainer(oauthContainerMain(), buildOAuthContainerMain(p, etcdHost)),
+			util.BuildContainer(oauthKonnectivityProxyContainer(), buildOAuthKonnectivityProxyContainer(p.KonnectivityProxyImage)),
 		},
 		Volumes: []corev1.Volume{
 			util.BuildVolume(oauthVolumeWorkLogs(), buildOAuthVolumeWorkLogs),
@@ -106,6 +122,8 @@ func ReconcileOAuthAPIServerDeployment(deployment *appsv1.Deployment, ownerRef c
 			util.BuildVolume(oauthVolumeServingCert(), buildOAuthVolumeServingCert),
 			util.BuildVolume(oauthVolumeEtcdClientCert(), buildOAuthVolumeEtcdClientCert),
 			util.BuildVolume(common.VolumeTotalClientCA(), common.BuildVolumeTotalClientCA),
+			util.BuildVolume(oauthVolumeKonnectivityProxyCert(), buildOAuthVolumeKonnectivityProxyCert),
+			util.BuildVolume(oauthVolumeKonnectivityProxyCA(), buildOAuthVolumeKonnectivityProxyCA),
 		},
 	}
 
@@ -147,7 +165,13 @@ func oauthContainerMain() *corev1.Container {
 	}
 }
 
-func buildOAuthContainerMain(p *OAuthDeploymentParams) func(c *corev1.Container) {
+func oauthKonnectivityProxyContainer() *corev1.Container {
+	return &corev1.Container{
+		Name: "konnectivity-proxy",
+	}
+}
+
+func buildOAuthContainerMain(p *OAuthDeploymentParams, etcdHost string) func(c *corev1.Container) {
 	return func(c *corev1.Container) {
 		cpath := func(volume, file string) string {
 			return path.Join(oauthVolumeMounts.Path(c.Name, volume), file)
@@ -199,6 +223,41 @@ func buildOAuthContainerMain(p *OAuthDeploymentParams) func(c *corev1.Container)
 				corev1.ResourceCPU:    resource.MustParse("10m"),
 			},
 		}
+		c.Env = append(c.Env, []corev1.EnvVar{
+			{
+				Name:  "HTTP_PROXY",
+				Value: "socks5://127.0.0.1:8090",
+			},
+			{
+				Name:  "HTTPS_PROXY",
+				Value: "socks5://127.0.0.1:8090",
+			},
+			{
+				Name: "NO_PROXY",
+				Value: strings.Join([]string{
+					manifests.KubeAPIServerService("").Name,
+					etcdHost,
+					config.AuditWebhookService,
+				}, ","),
+			},
+		}...)
+	}
+}
+
+func buildOAuthKonnectivityProxyContainer(image string) func(c *corev1.Container) {
+	return func(c *corev1.Container) {
+		c.Image = image
+		c.Command = []string{"/usr/bin/control-plane-operator", "konnectivity-socks5-proxy"}
+		c.Args = []string{"run", "--resolve-from-guest-cluster-dns=true"}
+		c.Env = []corev1.EnvVar{{
+			Name:  "KUBECONFIG",
+			Value: fmt.Sprintf("%s/kubeconfig", volumeMounts.Path(c.Name, oauthVolumeKubeconfig().Name)),
+		}}
+		c.Resources.Requests = corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("10m"),
+			corev1.ResourceMemory: resource.MustParse("10Mi"),
+		}
+		c.VolumeMounts = oauthVolumeMounts.ContainerMounts(c.Name)
 	}
 }
 
@@ -297,6 +356,29 @@ func oauthAuditWebhookConfigFile() string {
 	return path.Join(cfgDir, hyperv1.AuditWebhookKubeconfigKey)
 }
 
+func oauthVolumeKonnectivityProxyCert() *corev1.Volume {
+	return &corev1.Volume{
+		Name: "oauth-konnectivity-proxy-cert",
+	}
+}
+
+func oauthVolumeKonnectivityProxyCA() *corev1.Volume {
+	return &corev1.Volume{
+		Name: "oauth-konnectivity-proxy-ca",
+	}
+}
+
+func buildOAuthVolumeKonnectivityProxyCert(v *corev1.Volume) {
+	v.Secret = &corev1.SecretVolumeSource{}
+	v.Secret.SecretName = manifests.KonnectivityClientSecret("").Name
+	v.Secret.DefaultMode = ptr.To[int32](0640)
+}
+
+func buildOAuthVolumeKonnectivityProxyCA(v *corev1.Volume) {
+	v.ConfigMap = &corev1.ConfigMapVolumeSource{}
+	v.ConfigMap.Name = manifests.KonnectivityCAConfigMap("").Name
+}
+
 func buildOAuthVolumeEtcdClientCert(v *corev1.Volume) {
 	v.Secret = &corev1.SecretVolumeSource{}
 	v.Secret.SecretName = manifests.EtcdClientSecret("").Name

control-plane-operator/controllers/hostedcontrolplane/oapi/params.go

@@ -44,6 +44,7 @@ type OAuthDeploymentParams struct {
 	ServiceAccountIssuerURL      string
 	DeploymentConfig             config.DeploymentConfig
 	AvailabilityProberImage      string
+	KonnectivityProxyImage       string
 	Availability                 hyperv1.AvailabilityPolicy
 	OwnerRef                     config.OwnerRef
 	AuditWebhookRef              *corev1.LocalObjectReference
@@ -220,6 +221,7 @@ func (p *OpenShiftAPIServerParams) AuditPolicyConfig() configv1.Audit {
 func (p *OpenShiftAPIServerParams) OAuthAPIServerDeploymentParams(hcp *hyperv1.HostedControlPlane) *OAuthDeploymentParams {
 	params := &OAuthDeploymentParams{
 		Image:                   p.OAuthAPIServerImage,
+		KonnectivityProxyImage:  p.ProxyImage,
 		EtcdURL:                 p.EtcdURL,
 		ServiceAccountIssuerURL: p.ServiceAccountIssuerURL,
 		DeploymentConfig:        p.OpenShiftOAuthAPIServerDeploymentConfig,

control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents.yaml

@@ -95,6 +95,13 @@ spec:
         - --tls-min-version=VersionTLS12
         command:
         - /usr/bin/oauth-apiserver
+        env:
+        - name: HTTP_PROXY
+          value: socks5://127.0.0.1:8090
+        - name: HTTPS_PROXY
+          value: socks5://127.0.0.1:8090
+        - name: NO_PROXY
+          value: kube-apiserver,etcd-client,audit-webhook
         image: oauth-apiserver
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -167,6 +174,28 @@ spec:
         volumeMounts:
         - mountPath: /var/log/openshift-oauth-apiserver
           name: work-logs
+      - args:
+        - run
+        - --resolve-from-guest-cluster-dns=true
+        command:
+        - /usr/bin/control-plane-operator
+        - konnectivity-socks5-proxy
+        env:
+        - name: KUBECONFIG
+          value: /etc/kubernetes/secrets/kubeconfig/kubeconfig
+        image: controlplane-operator
+        name: konnectivity-proxy-socks5
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+        volumeMounts:
+        - mountPath: /etc/kubernetes/secrets/kubeconfig
+          name: kubeconfig
+        - mountPath: /etc/konnectivity/proxy-client
+          name: konnectivity-proxy-cert
+        - mountPath: /etc/konnectivity/proxy-ca
+          name: konnectivity-proxy-ca
       initContainers:
       - command:
         - /usr/bin/control-plane-operator
@@ -219,4 +248,11 @@ spec:
           defaultMode: 420
           name: client-ca
         name: client-ca
+      - name: konnectivity-proxy-cert
+        secret:
+          defaultMode: 416
+          secretName: konnectivity-client
+      - configMap:
+          name: konnectivity-ca-bundle
+        name: konnectivity-proxy-ca
 status: {}

control-plane-operator/controllers/hostedcontrolplane/v2/assets/openshift-oauth-apiserver/deployment.yaml

@@ -47,6 +47,13 @@ spec:
         - --client-ca-file=/etc/kubernetes/certs/client-ca/ca.crt
         command:
         - /usr/bin/oauth-apiserver
+        env:
+        - name: HTTP_PROXY
+          value: socks5://127.0.0.1:8090
+        - name: HTTPS_PROXY
+          value: socks5://127.0.0.1:8090
+        - name: NO_PROXY
+          value: kube-apiserver,etcd-client,audit-webhook
         image: oauth-apiserver
         imagePullPolicy: IfNotPresent
         livenessProbe:

control-plane-operator/controllers/hostedcontrolplane/v2/oapi/deployment.go

@@ -2,7 +2,6 @@ package oapi
 
 import (
 	"fmt"
-	"net/url"
 	"path"
 	"strings"
 
@@ -44,11 +43,10 @@ func adaptDeployment(cpContext component.ControlPlaneContext, deployment *appsv1
 
 	etcdHostname := "etcd-client"
 	if cpContext.HCP.Spec.Etcd.ManagementType == hyperv1.Unmanaged {
-		etcdUrl, err := url.Parse(cpContext.HCP.Spec.Etcd.Unmanaged.Endpoint)
+		etcdHostname, err = util.HostFromURL(cpContext.HCP.Spec.Etcd.Unmanaged.Endpoint)
 		if err != nil {
-			return fmt.Errorf("failed to parse etcd url: %w", err)
+			return err
 		}
-		etcdHostname = strings.Split(etcdUrl.Host, ":")[0]
 	}
 	noProxy := []string{
 		manifests.KubeAPIServerService("").Name,

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/component.go

@@ -7,6 +7,7 @@ import (
 	"github.com/openshift/hypershift/support/util"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -48,6 +49,12 @@ func NewComponent() component.ControlPlaneComponent {
 		WithDependencies(oapiv2.ComponentName).
 		WatchResource(&corev1.ConfigMap{}, "openshift-oauth-apiserver-audit").
 		InjectAvailabilityProberContainer(util.AvailabilityProberOpts{}).
+		InjectKonnectivityContainer(component.KonnectivityContainerOptions{
+			Mode: component.Socks5,
+			Socks5Options: component.Socks5Options{
+				ResolveFromGuestClusterDNS: ptr.To(true),
+			},
+		}).
 		Build()
 }
 

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go

@@ -3,9 +3,11 @@ package oapi
 import (
 	"fmt"
 	"path"
+	"strings"
 
 	configv1 "github.com/openshift/api/config/v1"
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
+	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/manifests"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 
@@ -19,6 +21,21 @@ const (
 )
 
 func adaptDeployment(cpContext component.ControlPlaneContext, deployment *appsv1.Deployment) error {
+
+	var err error
+	etcdHostname := "etcd-client"
+	if cpContext.HCP.Spec.Etcd.ManagementType == hyperv1.Unmanaged {
+		etcdHostname, err = util.HostFromURL(cpContext.HCP.Spec.Etcd.Unmanaged.Endpoint)
+		if err != nil {
+			return err
+		}
+	}
+	noProxy := []string{
+		manifests.KubeAPIServerService("").Name,
+		etcdHostname,
+		config.AuditWebhookService,
+	}
+
 	util.UpdateContainer(ComponentName, deployment.Spec.Template.Spec.Containers, func(c *corev1.Container) {
 		etcdURL := config.DefaultEtcdURL
 		if cpContext.HCP.Spec.Etcd.ManagementType == hyperv1.Unmanaged {
@@ -41,6 +58,10 @@ func adaptDeployment(cpContext component.ControlPlaneContext, deployment *appsv1
 			tokenInactivityTimeout := configuration.OAuth.TokenConfig.AccessTokenInactivityTimeout.Duration.String()
 			c.Args = append(c.Args, fmt.Sprintf("--accesstoken-inactivity-timeout=%s", tokenInactivityTimeout))
 		}
+		util.UpsertEnvVar(c, corev1.EnvVar{
+			Name:  "NO_PROXY",
+			Value: strings.Join(noProxy, ","),
+		})
 	})
 
 	if cpContext.HCP.Spec.Configuration.GetAuditPolicyConfig().Profile == configv1.NoneAuditProfileType {

support/util/util.go

@@ -12,7 +12,9 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
+	"regexp"
 	"sort"
 	"strings"
 	"time"
@@ -538,3 +540,29 @@ func GetPullSecretBytes(ctx context.Context, c client.Client, hc *hyperv1.Hosted
 
 	return pullSecretBytes, nil
 }
+
+var (
+	hasPortRegex = regexp.MustCompile(`:\d{1,5}$`)
+)
+
+func HostFromURL(addr string) (string, error) {
+	parsedURL, err := url.Parse(addr)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse URL(%s): %w", addr, err)
+	}
+	hostPort := parsedURL.Host
+	if hostPort == "" {
+		return "", fmt.Errorf("missing host/port name in URL(%s)", addr)
+	}
+	if !hasPortRegex.MatchString(hostPort) {
+		return hostPort, nil
+	}
+	hostName, _, err := net.SplitHostPort(hostPort)
+	if err != nil {
+		return "", fmt.Errorf("failed to split host/port from (%s): %w", hostPort, err)
+	}
+	if hostName == "" {
+		return "", fmt.Errorf("missing host name in URL(%s)", addr)
+	}
+	return hostName, nil
+}