Add proxy configuration to the generated install-config.yaml (openshi…

…ft#1341)
derekhiggins · Feb 14, 2022 · bacf996 · bacf996
1 parent 83f0f4e
commit bacf996
Show file tree

Hide file tree

Showing 11 changed files with 101 additions and 21 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,4 +14,4 @@ metallb/frr/
 assets/templates/99_master-chronyd-redhat.yaml
 assets/templates/99_worker-chronyd-redhat.yaml
 
-pull_secret.json
+pull_secret.json
diff --git a/02_configure_host.sh b/02_configure_host.sh
@@ -54,6 +54,18 @@ if [[ ! -z "${MIRROR_IMAGES}" || $(env | grep "_LOCAL_IMAGE=") || ! -z "${ENABL
  setup_local_registry
 fi
 
+# Configure a local proxy to be used for the installation
+if [[ ! -z "${INSTALLER_PROXY}" ]]; then
+ generate_proxy_conf > ${WORKING_DIR}/squid.conf
+
+ sudo podman run -d --rm \
+ --net host \
+ --volume ${WORKING_DIR}/squid.conf:/etc/squid/squid.conf \
+ --name ds-squid \
+ --dns 127.0.0.1 \
+ quay.io/sameersbn/squid:latest
+fi
+
 sudo systemctl enable --now firewalld
 
 # Configure an NTP server for use by the cluster, this is especially
@@ -191,7 +203,7 @@ ANSIBLE_FORCE_COLOR=true ansible-playbook \
  -e "{use_firewalld: True}" \
  -e "provisioning_interface=$PROVISIONING_NETWORK_NAME" \
  -e "baremetal_interface=$BAREMETAL_NETWORK_NAME" \
- -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000]}" \
+ -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000, ${INSTALLER_PROXY_PORT}]}" \
  -e "vbmc_port_range=$VBMC_BASE_PORT:$VBMC_MAX_PORT" \
  -i ${VM_SETUP_PATH}/inventory.ini \
  -b -vvv ${VM_SETUP_PATH}/firewall.yml

diff --git a/06_create_cluster.sh b/06_create_cluster.sh
@@ -12,6 +12,12 @@ source validation.sh
 
 early_deploy_validation
 
+if [[ ! -z "$INSTALLER_PROXY" ]]; then
+ export HTTP_PROXY=${HTTP_PROXY}
+ export HTTPS_PROXY=${HTTPS_PROXY}
+ export NO_PROXY=${NO_PROXY}
+fi
+
 # Call openshift-installer to deploy the bootstrap node and masters
 create_cluster ${OCP_DIR}
 

diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup workingdir_cleanup podman_cleanup bell
+.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup proxy_cleanup workingdir_cleanup podman_cleanup bell
 default: requirements configure build_installer ironic install_config ocp_run bell
 
 all: default
@@ -29,7 +29,7 @@ ocp_run:
 gather:
  ./must_gather.sh
 
-clean: ocp_cleanup ironic_cleanup host_cleanup assisted_deployment_cleanup
+clean: ocp_cleanup ironic_cleanup proxy_cleanup host_cleanup assisted_deployment_cleanup
 
 assisted_deployment_cleanup:
  ./assisted_deployment.sh delete_all
@@ -57,6 +57,9 @@ workingdir_cleanup:
 podman_cleanup:
  ./podman_cleanup.sh
 
+proxy_cleanup:
+ ./proxy_cleanup.sh
+
 bell:
  @echo "Done!" $$'\a'
 

diff --git a/common.sh b/common.sh
@@ -69,6 +69,10 @@ export SSH_PUB_KEY="${SSH_PUB_KEY:-$(cat $HOME/.ssh/id_rsa.pub)}"
 # mirror images for installation in restricted network
 export MIRROR_IMAGES=${MIRROR_IMAGES:-}
 
+# Setup up a local proxy for installation
+export INSTALLER_PROXY=${INSTALLER_PROXY:-}
+export INSTALLER_PROXY_PORT=${INSTALLER_PROXY_PORT:-8215}
+
 # Hypervisor details
 export REMOTE_LIBVIRT=${REMOTE_LIBVIRT:-0}
 export PROVISIONING_HOST_USER=${PROVISIONING_HOST_USER:-$USER}

diff --git a/config_example.sh b/config_example.sh
@@ -272,6 +272,10 @@ set -x
 # been configured.
 # export ADDITIONAL_TRUST_BUNDLE=/path/to/ca_file
 
+# Configures the installer to use a proxy running on the local host
+# and blocks all outgoing traffic
+# export INSTALLER_PROXY=true
+
 ##
 ## Assisted Deployment
 ##

diff --git a/network.sh b/network.sh
@@ -7,6 +7,21 @@ function nth_ip() {
  python -c "from ansible_collections.ansible.netcommon.plugins.filter import ipaddr; print(ipaddr.nthhost('"$network"', $idx))"
 }
 
+function ipversion(){
+ if [[ $1 =~ : ]] ; then
+ echo 6
+ exit
+ fi
+ echo 4
+}
+
+function wrap_if_ipv6(){
+ if [ $(ipversion $1) == 6 ] ; then
+ echo "[$1]"
+ exit
+ fi
+ echo "$1"
+}
 
 export IP_STACK=${IP_STACK:-"v6"}
 export HOST_IP_STACK=${HOST_IP_STACK:-${IP_STACK}}
@@ -151,3 +166,19 @@ else
  export BOOTSTRAP_PROVISIONING_IP=${BOOTSTRAP_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 2)}
  export CLUSTER_PROVISIONING_IP=${CLUSTER_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 3)}
 fi
+
+# Proxy related configuration
+if [[ ! -z "$INSTALLER_PROXY" ]]; then
+ export EXT_SUBNET=${EXTERNAL_SUBNET_V6}
+ if [[ "$IP_STACK" = "v4" ]]; then
+ EXT_SUBNET=${EXTERNAL_SUBNET_V4}
+ fi
+
+ HTTP_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+ HTTPS_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+ NO_PROXY=${PROVISIONING_NETWORK},9999,${EXT_SUBNET}
+
+ if [[ "$PROVISIONING_NETWORK_PROFILE" == "Disabled" ]]; then
+ NO_PROXY=${EXT_SUBNET},9999
+ fi
+fi
diff --git a/ocp_install_env.sh b/ocp_install_env.sh
@@ -270,6 +270,16 @@ sshKey: |
 fips: ${FIPS_MODE:-false}
 EOF
 
+ if [[ ! -z "$INSTALLER_PROXY" ]]; then
+
+ cat >> "${outdir}/install-config.yaml" << EOF
+proxy:
+ httpProxy: ${HTTP_PROXY}
+ httpsProxy: ${HTTPS_PROXY}
+ noProxy: ${NO_PROXY}
+EOF
+ fi
+
  cp "${outdir}/install-config.yaml" "${outdir}/install-config.yaml.save"
 }
 

diff --git a/proxy_cleanup.sh b/proxy_cleanup.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -x
+
+source logging.sh
+source common.sh
+source validation.sh
+
+early_cleanup_validation
+
+sudo podman kill ds-squid || true
diff --git a/utils.sh b/utils.sh
@@ -165,22 +165,6 @@ function create_cluster() {
  $OPENSHIFT_INSTALLER --dir "${assets_dir}" --log-level=debug create cluster 2>&1 | grep --line-buffered -v 'password\|X-Auth-Token\|UserData:'
 }
 
-function ipversion(){
- if [[ $1 =~ : ]] ; then
- echo 6
- exit
- fi
- echo 4
-}
-
-function wrap_if_ipv6(){
- if [ $(ipversion $1) == 6 ] ; then
- echo "[$1]"
- exit
- fi
- echo "$1"
-}
-
 function network_ip() {
  local network
  local rc
@@ -584,6 +568,21 @@ function wait_for_crd() {
  oc wait --for condition=established --timeout=60s "crd/$1" || exit 1
 }
 
+function generate_proxy_conf() {
+ if [[ "$PROVISIONING_NETWORK_PROFILE" != "Disabled" ]]; then
+ echo "acl all src ${PROVISIONING_NETWORK}"
+ fi
+
+ cat <<EOF
+acl all src ${EXT_SUBNET}
+http_access allow all
+http_port ${INSTALLER_PROXY_PORT}
+debug_options ALL,2
+dns_v4_first on
+coredump_dir /var/spool/squid
+EOF
+}
+
 _tmpfiles=
 function removetmp(){
  [ -n "$_tmpfiles" ] && rm -rf $_tmpfiles || true

diff --git a/vm_setup_vars.yml b/vm_setup_vars.yml
@@ -54,7 +54,7 @@ provisioning_network:
 external_network:
  - name: "{{ baremetal_network_name }}"
  bridge: "{{ baremetal_network_name }}"
- forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' }}"
+ forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' if not lookup('env', 'INSTALLER_PROXY') else 'route'}}"
  address_v4: "{{ baremetal_network_cidr_v4|nthhost(1)|default('', true) }}"
  netmask_v4: "{{ baremetal_network_cidr_v4|ipaddr('netmask') }}"
  address_v6: "{{ baremetal_network_cidr_v6|nthhost(1)|default('', true) }}"