diff --git a/hack/assets/sync.go b/hack/assets/sync.go index 2bfb9b54..d828cd98 100644 --- a/hack/assets/sync.go +++ b/hack/assets/sync.go @@ -59,6 +59,15 @@ func apiServerDeploymentJSON() { required.Spec.Template.ObjectMeta.Labels["revision"] = "${REVISION}" required.Spec.Template.Spec.Affinity.PodAntiAffinity.RequiredDuringSchedulingIgnoredDuringExecution[0].LabelSelector.MatchLabels["openshift-apiserver-anti-affinity"] = "true" + proxyEnvVars := []v1.EnvVar{ + {Name: "HTTPS_PROXY", Value: "${HTTPS_PROXY}"}, + {Name: "HTTP_PROXY", Value:"${HTTP_PROXY}"}, + {Name: "NO_PROXY", Value:"${NO_PROXY}"}, + } + for i, container := range required.Spec.Template.Spec.Containers { + required.Spec.Template.Spec.Containers[i].Env = append(container.Env, proxyEnvVars...) + } + jsonBytes, err := json.Marshal(required.Spec) check(err) diff --git a/src/bindata/openshift-apiserver-deployment.json b/src/bindata/openshift-apiserver-deployment.json index f2eeab00..a9696572 100644 --- a/src/bindata/openshift-apiserver-deployment.json +++ b/src/bindata/openshift-apiserver-deployment.json @@ -1 +1 @@ -{"replicas":1,"selector":{"matchLabels":{"apiserver":"true","app":"openshift-apiserver-a"}},"template":{"metadata":{"name":"openshift-apiserver","creationTimestamp":null,"labels":{"apiserver":"true","app":"openshift-apiserver-a","openshift-apiserver-anti-affinity":"true","revision":"${REVISION}"},"annotations":{"openshift.io/required-scc":"privileged","operator.openshift.io/dep-desired.generation":"${DESIRED_GENERATION}","operator.openshift.io/dep-openshift-apiserver.config.configmap":"${CONFIG_HASH}","operator.openshift.io/dep-openshift-apiserver.etcd-client.secret":"${ETCD_CLIENT_HASH}","operator.openshift.io/dep-openshift-apiserver.etcd-serving-ca.configmap":"${ETCD_SERVING_CA_HASH}","operator.openshift.io/dep-openshift-apiserver.image-import-ca.configmap":"${IMAGE_IMPORT_CA_HASH}","operator.openshift.io/dep-openshift-apiserver.trusted-ca-bundle.configmap":"${TRUSTED_CA_BUNDLE_HASH}","target.workload.openshift.io/management":"{\"effect\": \"PreferredDuringScheduling\"}"}},"spec":{"volumes":[{"name":"node-pullsecrets","hostPath":{"path":"/var/lib/kubelet/","type":"Directory"}},{"name":"config","configMap":{"name":"config"}},{"name":"audit","configMap":{"name":"audit-${REVISION}"}},{"name":"etcd-client","secret":{"secretName":"etcd-client","defaultMode":384}},{"name":"etcd-serving-ca","configMap":{"name":"etcd-serving-ca"}},{"name":"image-import-ca","configMap":{"name":"image-import-ca","optional":true}},{"name":"serving-cert","secret":{"secretName":"serving-cert","defaultMode":384}},{"name":"trusted-ca-bundle","configMap":{"name":"trusted-ca-bundle","items":[{"key":"ca-bundle.crt","path":"tls-ca-bundle.pem"}],"optional":true}},{"name":"encryption-config","secret":{"secretName":"encryption-config-${REVISION}","defaultMode":384,"optional":true}},{"name":"audit-dir","hostPath":{"path":"/var/log/openshift-apiserver"}}],"initContainers":[{"name":"fix-audit-permissions","image":"${IMAGE}","command":["sh","-c","chmod 0700 /var/log/openshift-apiserver \u0026\u0026 touch /var/log/openshift-apiserver/audit.log \u0026\u0026 chmod 0600 /var/log/openshift-apiserver/*"],"resources":{"requests":{"cpu":"15m","memory":"50Mi"}},"volumeMounts":[{"name":"audit-dir","mountPath":"/var/log/openshift-apiserver"}],"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true,"runAsUser":0}}],"containers":[{"name":"openshift-apiserver","image":"${IMAGE}","command":["/bin/bash","-ec"],"args":["if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then\n echo \"Copying system trust bundle\"\n cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nfi\nexec openshift-apiserver start --config=/var/run/configmaps/config/config.yaml -v=${VERBOSITY}\n"],"ports":[{"containerPort":8443}],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}],"resources":{"requests":{"cpu":"100m","memory":"200Mi"}},"volumeMounts":[{"name":"node-pullsecrets","readOnly":true,"mountPath":"/var/lib/kubelet/"},{"name":"config","mountPath":"/var/run/configmaps/config"},{"name":"audit","mountPath":"/var/run/configmaps/audit"},{"name":"etcd-client","mountPath":"/var/run/secrets/etcd-client"},{"name":"etcd-serving-ca","mountPath":"/var/run/configmaps/etcd-serving-ca"},{"name":"image-import-ca","mountPath":"/var/run/configmaps/image-import-ca"},{"name":"trusted-ca-bundle","mountPath":"/var/run/configmaps/trusted-ca-bundle"},{"name":"serving-cert","mountPath":"/var/run/secrets/serving-cert"},{"name":"encryption-config","mountPath":"/var/run/secrets/encryption-config"},{"name":"audit-dir","mountPath":"/var/log/openshift-apiserver"}],"livenessProbe":{"httpGet":{"path":"healthz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":10,"successThreshold":1,"failureThreshold":3},"readinessProbe":{"httpGet":{"path":"readyz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":5,"successThreshold":1,"failureThreshold":1},"startupProbe":{"httpGet":{"path":"healthz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":5,"successThreshold":1,"failureThreshold":30},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true,"runAsUser":0,"readOnlyRootFilesystem":false}},{"name":"openshift-apiserver-check-endpoints","image":"${KUBE_APISERVER_OPERATOR_IMAGE}","command":["cluster-kube-apiserver-operator","check-endpoints"],"args":["--listen","0.0.0.0:17698","--namespace","$(POD_NAMESPACE)","--v","2"],"ports":[{"name":"check-endpoints","containerPort":17698,"protocol":"TCP"}],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}],"resources":{"requests":{"cpu":"10m","memory":"50Mi"}},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"}],"terminationGracePeriodSeconds":90,"nodeSelector":{"node-role.kubernetes.io/master":""},"serviceAccountName":"openshift-apiserver-sa","affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"apiserver":"true","app":"openshift-apiserver-a","openshift-apiserver-anti-affinity":"true"}},"topologyKey":"kubernetes.io/hostname"}]}},"tolerations":[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":120},{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":120}],"priorityClassName":"system-node-critical"}},"strategy":{"type":"RollingUpdate","rollingUpdate":{"maxUnavailable":1,"maxSurge":0}}} \ No newline at end of file +{"replicas":1,"selector":{"matchLabels":{"apiserver":"true","app":"openshift-apiserver-a"}},"template":{"metadata":{"name":"openshift-apiserver","creationTimestamp":null,"labels":{"apiserver":"true","app":"openshift-apiserver-a","openshift-apiserver-anti-affinity":"true","revision":"${REVISION}"},"annotations":{"openshift.io/required-scc":"privileged","operator.openshift.io/dep-desired.generation":"${DESIRED_GENERATION}","operator.openshift.io/dep-openshift-apiserver.config.configmap":"${CONFIG_HASH}","operator.openshift.io/dep-openshift-apiserver.etcd-client.secret":"${ETCD_CLIENT_HASH}","operator.openshift.io/dep-openshift-apiserver.etcd-serving-ca.configmap":"${ETCD_SERVING_CA_HASH}","operator.openshift.io/dep-openshift-apiserver.image-import-ca.configmap":"${IMAGE_IMPORT_CA_HASH}","operator.openshift.io/dep-openshift-apiserver.trusted-ca-bundle.configmap":"${TRUSTED_CA_BUNDLE_HASH}","target.workload.openshift.io/management":"{\"effect\": \"PreferredDuringScheduling\"}"}},"spec":{"volumes":[{"name":"node-pullsecrets","hostPath":{"path":"/var/lib/kubelet/","type":"Directory"}},{"name":"config","configMap":{"name":"config"}},{"name":"audit","configMap":{"name":"audit-${REVISION}"}},{"name":"etcd-client","secret":{"secretName":"etcd-client","defaultMode":384}},{"name":"etcd-serving-ca","configMap":{"name":"etcd-serving-ca"}},{"name":"image-import-ca","configMap":{"name":"image-import-ca","optional":true}},{"name":"serving-cert","secret":{"secretName":"serving-cert","defaultMode":384}},{"name":"trusted-ca-bundle","configMap":{"name":"trusted-ca-bundle","items":[{"key":"ca-bundle.crt","path":"tls-ca-bundle.pem"}],"optional":true}},{"name":"encryption-config","secret":{"secretName":"encryption-config-${REVISION}","defaultMode":384,"optional":true}},{"name":"audit-dir","hostPath":{"path":"/var/log/openshift-apiserver"}}],"initContainers":[{"name":"fix-audit-permissions","image":"${IMAGE}","command":["sh","-c","chmod 0700 /var/log/openshift-apiserver \u0026\u0026 touch /var/log/openshift-apiserver/audit.log \u0026\u0026 chmod 0600 /var/log/openshift-apiserver/*"],"resources":{"requests":{"cpu":"15m","memory":"50Mi"}},"volumeMounts":[{"name":"audit-dir","mountPath":"/var/log/openshift-apiserver"}],"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true,"runAsUser":0}}],"containers":[{"name":"openshift-apiserver","image":"${IMAGE}","command":["/bin/bash","-ec"],"args":["if [ -s /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem ]; then\n echo \"Copying system trust bundle\"\n cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nfi\nexec openshift-apiserver start --config=/var/run/configmaps/config/config.yaml -v=${VERBOSITY}\n"],"ports":[{"containerPort":8443}],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"HTTPS_PROXY","value":"${HTTPS_PROXY}"},{"name":"HTTP_PROXY","value":"${HTTP_PROXY}"},{"name":"NO_PROXY","value":"${NO_PROXY}"}],"resources":{"requests":{"cpu":"100m","memory":"200Mi"}},"volumeMounts":[{"name":"node-pullsecrets","readOnly":true,"mountPath":"/var/lib/kubelet/"},{"name":"config","mountPath":"/var/run/configmaps/config"},{"name":"audit","mountPath":"/var/run/configmaps/audit"},{"name":"etcd-client","mountPath":"/var/run/secrets/etcd-client"},{"name":"etcd-serving-ca","mountPath":"/var/run/configmaps/etcd-serving-ca"},{"name":"image-import-ca","mountPath":"/var/run/configmaps/image-import-ca"},{"name":"trusted-ca-bundle","mountPath":"/var/run/configmaps/trusted-ca-bundle"},{"name":"serving-cert","mountPath":"/var/run/secrets/serving-cert"},{"name":"encryption-config","mountPath":"/var/run/secrets/encryption-config"},{"name":"audit-dir","mountPath":"/var/log/openshift-apiserver"}],"livenessProbe":{"httpGet":{"path":"healthz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":10,"successThreshold":1,"failureThreshold":3},"readinessProbe":{"httpGet":{"path":"readyz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":5,"successThreshold":1,"failureThreshold":1},"startupProbe":{"httpGet":{"path":"healthz","port":8443,"scheme":"HTTPS"},"timeoutSeconds":10,"periodSeconds":5,"successThreshold":1,"failureThreshold":30},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true,"runAsUser":0,"readOnlyRootFilesystem":false}},{"name":"openshift-apiserver-check-endpoints","image":"${KUBE_APISERVER_OPERATOR_IMAGE}","command":["cluster-kube-apiserver-operator","check-endpoints"],"args":["--listen","0.0.0.0:17698","--namespace","$(POD_NAMESPACE)","--v","2"],"ports":[{"name":"check-endpoints","containerPort":17698,"protocol":"TCP"}],"env":[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"HTTPS_PROXY","value":"${HTTPS_PROXY}"},{"name":"HTTP_PROXY","value":"${HTTP_PROXY}"},{"name":"NO_PROXY","value":"${NO_PROXY}"}],"resources":{"requests":{"cpu":"10m","memory":"50Mi"}},"terminationMessagePolicy":"FallbackToLogsOnError","imagePullPolicy":"IfNotPresent"}],"terminationGracePeriodSeconds":90,"nodeSelector":{"node-role.kubernetes.io/master":""},"serviceAccountName":"openshift-apiserver-sa","affinity":{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"apiserver":"true","app":"openshift-apiserver-a","openshift-apiserver-anti-affinity":"true"}},"topologyKey":"kubernetes.io/hostname"}]}},"tolerations":[{"key":"node-role.kubernetes.io/master","operator":"Exists","effect":"NoSchedule"},{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoExecute"},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":120},{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":120}],"priorityClassName":"system-node-critical"}},"strategy":{"type":"RollingUpdate","rollingUpdate":{"maxUnavailable":1,"maxSurge":0}}} \ No newline at end of file diff --git a/src/ocp_postprocess.rs b/src/ocp_postprocess.rs index 0a93672b..80bc05c5 100644 --- a/src/ocp_postprocess.rs +++ b/src/ocp_postprocess.rs @@ -329,6 +329,31 @@ async fn get_openshift_apiserver_log_level(in_memory_etcd_client: &Arc) -> Result>> { + let etcd_client = in_memory_etcd_client; + + let cluster = get_etcd_json( + etcd_client, + &K8sResourceLocation::new(None, "OpenShiftAPIServer", "cluster", "operator.openshift.io/v1"), + ) + .await? + .context("couldn't find openshiftapiserver.operator/cluster resource")?; + + if let Some(proxy_config) = cluster.pointer("/spec/observedConfig/workloadcontroller/proxy") { + let vars: BTreeMap<_, _> = proxy_config + .as_object() + .context("spec.observedConfig.workloadcontroller.proxy not an object")? + .iter() + .map(|(k, v)| Ok((k.clone(), String::from(v.as_str().context("value not a string")?)))) + .collect::>>()? + .into_iter() + .collect(); + Ok(Some(vars)) + } else { + Ok(None) + } +} + pub(crate) async fn fix_deployment_spec_hash_annotation( in_memory_etcd_client: &Arc, k8s_resource_location: K8sResourceLocation, @@ -362,7 +387,18 @@ pub(crate) async fn fix_deployment_spec_hash_annotation( .await .context("could not get KUBE_APISERVER_OPERATOR_IMAGE")?; - fix_openshift_apiserver_spec_hash_annotation(metadata_annotations, revision, &log_level, &kube_apiserver_operator_image).await? + let proxy_env_vars = get_proxy_env_vars(in_memory_etcd_client) + .await + .context("could not get proxy env vars")?; + + fix_openshift_apiserver_spec_hash_annotation( + metadata_annotations, + revision, + &log_level, + &kube_apiserver_operator_image, + proxy_env_vars, + ) + .await? } Some("openshift-oauth-apiserver") => { let container_image = dep @@ -539,6 +575,7 @@ async fn fix_openshift_apiserver_spec_hash_annotation( revision: &str, log_level: &str, kube_apiserver_operator_image: &str, + proxy_env_vars: Option>, ) -> Result<(), anyhow::Error> { let bytes = include_bytes!("bindata/openshift-apiserver-deployment.json"); let mut spec_json = String::from_utf8(bytes.to_vec()).context("invalid UTF-8 string")?; @@ -581,6 +618,19 @@ async fn fix_openshift_apiserver_spec_hash_annotation( spec_json = spec_json.replace("${VERBOSITY}", log_level); spec_json = spec_json.replace("${KUBE_APISERVER_OPERATOR_IMAGE}", kube_apiserver_operator_image); + match proxy_env_vars { + Some(vars) => { + for (key, value) in vars { + spec_json = spec_json.replace(format!("${{{}}}", key).as_str(), &value); + } + } + None => { + for var in ["HTTPS_PROXY", "HTTP_PROXY", "NO_PROXY"] { + spec_json = spec_json.replace(format!(",{{\"name\":\"{0}\",\"value\":\"${{{0}}}\"}}", var).as_str(), ""); + } + } + } + let mut sha256 = Sha256::new(); sha256.update(spec_json); let spec_hash: String = format!("{:x}", sha256.finalize());