Docs: Egress router DNS proxy mode

[pravisankar]

Trello card: https://trello.com/c/407uoUFz
Origin PR: openshift/origin#15409

[pravisankar]

@openshift/networking @openshift/team-documentation PTAL

[vikram-redhat]

@bfallonf - PTAL.

@pravisankar - is this for 3.7?

[pravisankar]

On Wed, Jul 26, 2017 at 7:30 PM, Vikram Goyal ***@***.***> wrote: @bfallonf <https://github.com/bfallonf> - PTAL. @pravisankar <https://github.com/pravisankar> - is this for 3.7?

Yes, Committed for 3.7

…

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4854 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABM0hp3dGqTJEYPOi_LE1kqsrngCU4AZks5sR_ZggaJpZM4Oktpf> .

[bfallonf]

Thanks @pravisankar . This is good, so I'll merge and tag for the 3.7 release. I'll attach it to the docs card can do a followup later if needed.

[bfallonf]

[rev_history]
|xref:../admin_guide/managing_networking.adoc#admin-guide-manage-networking[Managing Networking]
|Added the xref:../admin_guide/managing_networking.adoc#admin-guide-deploying-an-egress-router-dns-proxy-pod[Deploying an Egress Router DNS Proxy Pod] section.
%

[bfallonf]

Document: Allow DNS names for egress routes [human names] [egress]

[danwinship]

Blah, just got back from PTO and noticed this. It's not safe to use envFrom here, because that might allow project admins to subvert the functioning of the (privileged) origin-egress-router pod by setting variables like IFS or PATH in the environment that egress-router.sh will run in.

Given that the PR implementing this feature hasn't landed yet anyway, maybe this PR should just be reverted?

[pravisankar]

You mean project admin sets undesirable environment variables in configMap and cluster admin redeploys the egress router without noticing this change?

[danwinship]

yes

[bfallonf]

Thanks for pointing this out, @danwinship . @pravisankar submitted a fix in another PR, so I'll merge that.

[ghyde]

Can we revert this PR, merging it back after the feature has landed? From a support perspective, it's frustrating for customers when they follow the documentation and try to implement a feature that doesn't exist yet.

[pravisankar]

@bfallonf
To support this feature, we need at least HAproxy 1.6+ but unfortunately RHEL carries older version of haproxy. We are trying to package the needed version, trello card: https://trello.com/c/W3TQb4FF but this is unlikely to land in 3.7 release. So the egress DNS proxy mode feature has been pushed to 3.8 release (updated in https://trello.com/c/407uoUFz).
As @ghyde pointed out, we should revert this commit.

[bfallonf]

Sure thing. I've created a revert PR in #5187 . I've changed the labels to 3.8 for this and the follow up PR. @ghyde @pravisankar Please let me know if there's anything more needed here.