From b31879de88e5a273fb887d78dd2060d4442e2093 Mon Sep 17 00:00:00 2001 From: Praveen Jaya Kumar Date: Wed, 10 Dec 2025 12:10:14 +0530 Subject: [PATCH 1/4] MG-66: Remove the proxy config from CR --- .../must-gather-operator.md | 22 ++----------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/enhancements/support-log-gather/must-gather-operator.md b/enhancements/support-log-gather/must-gather-operator.md index b603666bc7..dc1589881d 100644 --- a/enhancements/support-log-gather/must-gather-operator.md +++ b/enhancements/support-log-gather/must-gather-operator.md @@ -120,10 +120,6 @@ type MustGatherSpec struct { // +optional AdditionalConfig *AdditionalConfig `json:"additionalConfig,omitempty"` - // This represents the proxy configuration to be used. If left empty it will default to the cluster-level proxy configuration. - // +optional - ProxyConfig ProxySpec `json:"proxyConfig,omitempty"` - // A time limit for gather command to complete a floating point number with a suffix: // "s" for seconds, "m" for minutes, "h" for hours, or "d" for days. // Will default to no time limit. @@ -240,21 +236,6 @@ type PersistentVolumeClaimReference struct { Name string `json:"name"` } -// +k8s:openapi-gen=true -type ProxySpec struct { - // httpProxy is the URL of the proxy for HTTP requests. Empty means unset and will not result in an env var. - // +optional - HTTPProxy string `json:"httpProxy,omitempty"` - - // httpsProxy is the URL of the proxy for HTTPS requests. Empty means unset and will not result in an env var. - // +optional - HTTPSProxy string `json:"httpsProxy,omitempty"` - - // noProxy is the list of domains for which the proxy should not be used. Empty means unset and will not result in an env var. - // +optional - NoProxy string `json:"noProxy,omitempty"` -} - // MustGatherStatus defines the observed state of MustGather type MustGatherStatus struct { Status string `json:"status,omitempty"` @@ -397,7 +378,8 @@ None, as a day-2 operator dedicated OpenShift and Hosted Clusters are both treat #### Proxy clusters -`mustgather.spec.proxyConfig` if set by the user in the CR, will be propagated as pod environment variables to the gather and upload containers of the Job. The configuration set in the resource is given precedence over the cluster-wide proxy settings set on the cluster through `configv1.Proxy` object. Due to the nature of SOCKS proxy protocol and the HTTP "CONNECT" verb in most proxy servers used with OpenShift, the upload process using SFTP's TCP can essentially make a CONNECT request over netcat and intercept to upload the mustgather bundle even when on a airgapped proxy setup. +The operator inherits cluster-wide proxy settings (typically propagated from the configv1.Proxy object via the operator's environment variables) and passes them to the upload container of the Job. The upload process uses an HTTP CONNECT proxy via netcat (nc --proxy-type http) as an SSH ProxyCommand, allowing SFTP traffic to tunnel through HTTP proxies commonly used in airgapped OpenShift environments. + ## Implementation History From c0c5c387bd0c90f79f1548c60b4709f8c6a94215 Mon Sep 17 00:00:00 2001 From: Praveen Jaya Kumar Date: Wed, 10 Dec 2025 15:51:07 +0530 Subject: [PATCH 2/4] add Trusted CA information --- .../must-gather-operator.md | 58 ++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/enhancements/support-log-gather/must-gather-operator.md b/enhancements/support-log-gather/must-gather-operator.md index dc1589881d..9a1366f1f9 100644 --- a/enhancements/support-log-gather/must-gather-operator.md +++ b/enhancements/support-log-gather/must-gather-operator.md @@ -378,8 +378,64 @@ None, as a day-2 operator dedicated OpenShift and Hosted Clusters are both treat #### Proxy clusters -The operator inherits cluster-wide proxy settings (typically propagated from the configv1.Proxy object via the operator's environment variables) and passes them to the upload container of the Job. The upload process uses an HTTP CONNECT proxy via netcat (nc --proxy-type http) as an SSH ProxyCommand, allowing SFTP traffic to tunnel through HTTP proxies commonly used in airgapped OpenShift environments. +The operator inherits cluster-wide proxy settings from the `configv1.Proxy` object via environment variables propagated by OLM and passes them to the upload container of the Job. +For SFTP uploads through HTTP proxies (common in air-gapped OpenShift environments), the upload process uses an HTTP CONNECT proxy via netcat (`nc --proxy-type http`) as an SSH `ProxyCommand`. This allows SFTP traffic to tunnel through the configured HTTP proxy. + +To customize proxy settings, a cluster administrator can override the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables through the OLM Subscription object. + +## Configuring egress proxy for Must Gather Operator + +If a cluster wide egress proxy is configured on the OpenShift cluster, OLM automatically update all the operators' deployments with `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables. +Those variables are then propagated down to the must gather (operand) controllers by the must gather operator. + +### Trusted Certificate Authority + +#### Running operator + +Follow the instructions below to let Must Gather Operator trust a custom Certificate Authority (CA). The operator's OLM subscription has to be already created. + +1. Create the configmap containing the CA bundle in `must-gather-operator` namespace. Run the following commands to [inject](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki) the CA bundle trusted by OpenShift into a configmap: + + ```bash + oc -n must-gather-operator create configmap trusted-ca + oc -n must-gather-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true + ``` + +2. Consume the created configmap in Must Gather Operator's deployment by updating its subscription: + + ```bash + oc -n must-gather-operator patch subscription --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}' + ``` + + _Note_: Alternatively, you can also patch the `must-gather-operator` deployment in the `must-gather-operator` namespace. + `bash + oc set env deployment/must-gather-operator TRUSTED_CA_CONFIGMAP_NAME=trusted-ca + ` + +3. Wait for the operator deployment to finish the rollout and verify that CA bundle is added to the existing controller: + + ```bash + oc get deployment -n must-gather-operator must-gather-operator -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'} | jq + [ + { + "mountPath": "/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt", + "name": "trusted-ca", + "subPath": "ca-bundle.crt" + } + ] + + oc get deployment -n must-gather-operator must-gather-operator -o=jsonpath={.spec.template.spec.volumes} | jq + [ + { + "configMap": { + "defaultMode": 420, + "name": "trusted-ca" + }, + "name": "trusted-ca" + } + ] + ``` ## Implementation History From d86f81b0c90dab6142912d675cb396ce2b9b1b89 Mon Sep 17 00:00:00 2001 From: Praveen Jaya Kumar Date: Mon, 15 Dec 2025 18:03:02 +0530 Subject: [PATCH 3/4] remove doc style instructions and add EP style and add ownerReference in configmap. --- .../must-gather-operator.md | 55 ++----------------- 1 file changed, 6 insertions(+), 49 deletions(-) diff --git a/enhancements/support-log-gather/must-gather-operator.md b/enhancements/support-log-gather/must-gather-operator.md index 9a1366f1f9..9f0246e513 100644 --- a/enhancements/support-log-gather/must-gather-operator.md +++ b/enhancements/support-log-gather/must-gather-operator.md @@ -384,58 +384,15 @@ For SFTP uploads through HTTP proxies (common in air-gapped OpenShift environmen To customize proxy settings, a cluster administrator can override the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables through the OLM Subscription object. -## Configuring egress proxy for Must Gather Operator +### Trusted Certificate Authority -If a cluster wide egress proxy is configured on the OpenShift cluster, OLM automatically update all the operators' deployments with `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables. -Those variables are then propagated down to the must gather (operand) controllers by the must gather operator. +The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). -### Trusted Certificate Authority +#### Reconcile flow + +During the MustGather CR reconciliation, the operator copies the trusted CA ConfigMap from the operator namespace (`must-gather-operator`) to the operand namespace where the MustGather CR is present. This ensures that the upload container in the must-gather job can mount and use the trusted CA bundle for SFTP uploads, even when the job runs in a different namespace than the operator. -#### Running operator - -Follow the instructions below to let Must Gather Operator trust a custom Certificate Authority (CA). The operator's OLM subscription has to be already created. - -1. Create the configmap containing the CA bundle in `must-gather-operator` namespace. Run the following commands to [inject](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki) the CA bundle trusted by OpenShift into a configmap: - - ```bash - oc -n must-gather-operator create configmap trusted-ca - oc -n must-gather-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true - ``` - -2. Consume the created configmap in Must Gather Operator's deployment by updating its subscription: - - ```bash - oc -n must-gather-operator patch subscription --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}' - ``` - - _Note_: Alternatively, you can also patch the `must-gather-operator` deployment in the `must-gather-operator` namespace. - `bash - oc set env deployment/must-gather-operator TRUSTED_CA_CONFIGMAP_NAME=trusted-ca - ` - -3. Wait for the operator deployment to finish the rollout and verify that CA bundle is added to the existing controller: - - ```bash - oc get deployment -n must-gather-operator must-gather-operator -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'} | jq - [ - { - "mountPath": "/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt", - "name": "trusted-ca", - "subPath": "ca-bundle.crt" - } - ] - - oc get deployment -n must-gather-operator must-gather-operator -o=jsonpath={.spec.template.spec.volumes} | jq - [ - { - "configMap": { - "defaultMode": 420, - "name": "trusted-ca" - }, - "name": "trusted-ca" - } - ] - ``` +The copied ConfigMap should include an `ownerReference` pointing to the MustGather CR. Since both the MustGather CR and the copied ConfigMap reside in the same namespace, Kubernetes garbage collection will automatically delete the ConfigMap when the MustGather CR is deleted. This approach ensures automatic cleanup without explicit deletion logic in the operator. ## Implementation History From 1f91340f1a4224e46bd87f4583cafe7ecc93d753 Mon Sep 17 00:00:00 2001 From: Praveen Jaya Kumar Date: Wed, 17 Dec 2025 15:01:54 +0530 Subject: [PATCH 4/4] change the crt name --- enhancements/support-log-gather/must-gather-operator.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enhancements/support-log-gather/must-gather-operator.md b/enhancements/support-log-gather/must-gather-operator.md index 9f0246e513..047dda76ce 100644 --- a/enhancements/support-log-gather/must-gather-operator.md +++ b/enhancements/support-log-gather/must-gather-operator.md @@ -386,7 +386,7 @@ To customize proxy settings, a cluster administrator can override the `HTTP_PROX ### Trusted Certificate Authority -The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/must-gather-tls-ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). +The operator supports custom Certificate Authority (CA) bundles for environments using proxy servers with TLS interception. When the `TRUSTED_CA_CONFIGMAP_NAME` environment variable is set on the operator deployment (via OLM Subscription or direct patch), the operator mounts the referenced ConfigMap containing the CA bundle at `/etc/pki/tls/certs/ca-bundle.crt`. This ConfigMap should be labeled with `config.openshift.io/inject-trusted-cabundle=true` to leverage OpenShift's [CA bundle injection](https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki). #### Reconcile flow