ignition: set HTTP proxy variable and SSL_CERT_FILE from host -> machine.
#12748
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
flouthoc
force-pushed
the
ign_add_proxy_vars
branch
from
60fd758 to
58aee65
Compare
flouthoc
force-pushed
the
ign_add_proxy_vars
branch
from
58aee65 to
89027e9
Compare
flouthoc
force-pushed
the
ign_add_proxy_vars
branch
from
6f3eeaa to
f476a46
Compare
pkg/util/utils.go
Outdated
| @@ -30,6 +30,9 @@ import ( | |||
| "golang.org/x/crypto/ssh/terminal" | |||
| ) | |||
|
|
|||
| // ProxyVars is being used by different packages of podman | |||
| var ProxyVars = [...]string{"HTTP_PROXY", "HTTPS_PROXY", "NO_PROXY", "http_proxy", "https_proxy", "no_proxy", "ftp_proxy", "FTP_PROXY"} | |||
There was a problem hiding this comment.
Can you do this as a map[string]bool and then use it in both places.
There was a problem hiding this comment.
Yes that is better. I'll amend this.
There was a problem hiding this comment.
@rhatdan I am not sure what would be advantage though cause for podman we have to allow all of them anyways. Is intention to make them configurable ?
There was a problem hiding this comment.
No just sharing with the other code, which needs a map.
There was a problem hiding this comment.
@rhatdan Oh i see. Only buildah is using a map for this do we intend to share this with buildah ? I don't see anywhere else
Although c/common is using a similar line https://github.com/containers/common/blob/main/pkg/config/config.go#L900
We could make this variable Global and use it.
The only small issue is then this PR would need vendor changes as well. But its not a big deal. Let me know what you feel fits best here.
Podman often has to run behind an http/https proxy, often in corporate environments. This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store. Solve this by reading standard proxy variables (HTTP_PROXY HTTPS_PROXY NO_PROXY http_proxy https_proxy no_proxy) and injecting them into the machine at init. [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <[email protected]>
Podman often has to run behind an http/https proxy, often in corporate environments. This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store. Copy the file referred to by SSL_CERT_FILE on the host into the podman machine's OS trust store, overriding the built-in single-file trust store certificate. Also set the `SSL_FILE_CERT` on remote machine [NO NEW TESTS NEEDED] Signed-off-by: Aditya Rajan <[email protected]>
Signed-off-by: Aditya Rajan <[email protected]>
flouthoc
force-pushed
the
ign_add_proxy_vars
branch
from
f476a46 to
a95c01e
Compare
|
@rhatdan updated the PR after @vrothberg 's c/common sync. Thanks @vrothberg . |
|
LGTM |
|
@vrothberg PTAL |
|
@baude Could you review this as well since changes are related to ignition. No rush. |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
Podman often has to run behind an http/https proxy, often in corporate environments. This proxy may or may not include SSL inspection capabilities, requiring a trusted SSL CA certificate to be added to a system's trust store.
PR solves this by detecting the standard proxy variables (
HTTP_PROXYHTTPS_PROXYNO_PROXYhttp_proxyhttps_proxyno_proxy) and injecting them into themachineat init.Second Part is availability of
SSL_CERT_FILEon remote machine.PR solves this by reading the equivalent file on
hostand copying the file toremote machineand setting equivalentSSL_CERT_FILEonremote machine.[NO NEW TESTS NEEDED]
I am not sure if there is a way to test ignition in CI. Please pull the tree and try running it.
Closes: #12739