Add proxy configuration to the generated install-config.yaml (#1341)

Author: andfasano

.gitignore

@@ -14,4 +14,4 @@ metallb/frr/
 assets/templates/99_master-chronyd-redhat.yaml
 assets/templates/99_worker-chronyd-redhat.yaml
 
-pull_secret.json
+pull_secret.json

02_configure_host.sh

@@ -54,6 +54,18 @@ if [[ ! -z "${MIRROR_IMAGES}" || $(env | grep "_LOCAL_IMAGE=")  || ! -z "${ENABL
     setup_local_registry
 fi
 
+# Configure a local proxy to be used for the installation
+if [[ ! -z "${INSTALLER_PROXY}" ]]; then
+  generate_proxy_conf > ${WORKING_DIR}/squid.conf
+
+  sudo podman run -d --rm \
+     --net host \
+     --volume ${WORKING_DIR}/squid.conf:/etc/squid/squid.conf \
+     --name ds-squid \
+     --dns 127.0.0.1 \
+     quay.io/sameersbn/squid:latest
+fi
+
 sudo systemctl enable --now firewalld
 
 # Configure an NTP server for use by the cluster, this is especially
@@ -191,7 +203,7 @@ ANSIBLE_FORCE_COLOR=true ansible-playbook \
     -e "{use_firewalld: True}" \
     -e "provisioning_interface=$PROVISIONING_NETWORK_NAME" \
     -e "baremetal_interface=$BAREMETAL_NETWORK_NAME" \
-    -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000]}" \
+    -e "{provisioning_host_ports: [80, ${LOCAL_REGISTRY_PORT}, 8000, ${INSTALLER_PROXY_PORT}]}" \
     -e "vbmc_port_range=$VBMC_BASE_PORT:$VBMC_MAX_PORT" \
     -i ${VM_SETUP_PATH}/inventory.ini \
     -b -vvv ${VM_SETUP_PATH}/firewall.yml

06_create_cluster.sh

@@ -12,6 +12,12 @@ source validation.sh
 
 early_deploy_validation
 
+if [[ ! -z "$INSTALLER_PROXY" ]]; then
+  export HTTP_PROXY=${HTTP_PROXY}
+  export HTTPS_PROXY=${HTTPS_PROXY}
+  export NO_PROXY=${NO_PROXY}
+fi
+
 # Call openshift-installer to deploy the bootstrap node and masters
 create_cluster ${OCP_DIR}
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup workingdir_cleanup podman_cleanup bell
+.PHONY: default all requirements configure ironic ocp_run install_config clean ocp_cleanup ironic_cleanup host_cleanup cache_cleanup registry_cleanup proxy_cleanup workingdir_cleanup podman_cleanup bell
 default: requirements configure build_installer ironic install_config ocp_run bell
 
 all: default
@@ -29,7 +29,7 @@ ocp_run:
 gather:
 	./must_gather.sh
 
-clean: ocp_cleanup ironic_cleanup host_cleanup assisted_deployment_cleanup
+clean: ocp_cleanup ironic_cleanup proxy_cleanup host_cleanup assisted_deployment_cleanup
 
 assisted_deployment_cleanup:
 	./assisted_deployment.sh delete_all
@@ -57,6 +57,9 @@ workingdir_cleanup:
 podman_cleanup:
 	./podman_cleanup.sh
 
+proxy_cleanup:
+	./proxy_cleanup.sh
+
 bell:
 	@echo "Done!" $$'\a'
 

common.sh

@@ -69,6 +69,10 @@ export SSH_PUB_KEY="${SSH_PUB_KEY:-$(cat $HOME/.ssh/id_rsa.pub)}"
 # mirror images for installation in restricted network
 export MIRROR_IMAGES=${MIRROR_IMAGES:-}
 
+# Setup up a local proxy for installation
+export INSTALLER_PROXY=${INSTALLER_PROXY:-}
+export INSTALLER_PROXY_PORT=${INSTALLER_PROXY_PORT:-8215}
+
 # Hypervisor details
 export REMOTE_LIBVIRT=${REMOTE_LIBVIRT:-0}
 export PROVISIONING_HOST_USER=${PROVISIONING_HOST_USER:-$USER}

config_example.sh

@@ -272,6 +272,10 @@ set -x
 # been configured.
 # export ADDITIONAL_TRUST_BUNDLE=/path/to/ca_file
 
+# Configures the installer to use a proxy running on the local host
+# and blocks all outgoing traffic
+# export INSTALLER_PROXY=true
+
 ##
 ## Assisted Deployment
 ##

network.sh

@@ -7,6 +7,21 @@ function nth_ip() {
   python -c "from ansible_collections.ansible.netcommon.plugins.filter import ipaddr; print(ipaddr.nthhost('"$network"', $idx))"
 }
 
+function ipversion(){
+    if [[ $1 =~ : ]] ; then
+        echo 6
+        exit
+    fi
+    echo 4
+}
+
+function wrap_if_ipv6(){
+    if [ $(ipversion $1) == 6 ] ; then
+        echo "[$1]"
+        exit
+    fi
+    echo "$1"
+}
 
 export IP_STACK=${IP_STACK:-"v6"}
 export HOST_IP_STACK=${HOST_IP_STACK:-${IP_STACK}}
@@ -151,3 +166,19 @@ else
   export BOOTSTRAP_PROVISIONING_IP=${BOOTSTRAP_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 2)}
   export CLUSTER_PROVISIONING_IP=${CLUSTER_PROVISIONING_IP:-$(nth_ip $PROVISIONING_NETWORK 3)}
 fi
+
+# Proxy related configuration
+if  [[ ! -z "$INSTALLER_PROXY" ]]; then
+  export EXT_SUBNET=${EXTERNAL_SUBNET_V6}
+  if [[ "$IP_STACK" = "v4" ]]; then
+    EXT_SUBNET=${EXTERNAL_SUBNET_V4}
+  fi
+
+  HTTP_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+  HTTPS_PROXY=http://$(wrap_if_ipv6 ${PROVISIONING_HOST_EXTERNAL_IP}):${INSTALLER_PROXY_PORT}
+  NO_PROXY=${PROVISIONING_NETWORK},9999,${EXT_SUBNET}
+
+  if [[ "$PROVISIONING_NETWORK_PROFILE" == "Disabled" ]]; then
+    NO_PROXY=${EXT_SUBNET},9999
+  fi
+fi

ocp_install_env.sh

@@ -270,6 +270,16 @@ sshKey: |
 fips: ${FIPS_MODE:-false}
 EOF
 
+  if [[ ! -z "$INSTALLER_PROXY" ]]; then
+
+    cat >> "${outdir}/install-config.yaml" << EOF
+proxy:
+  httpProxy: ${HTTP_PROXY}
+  httpsProxy: ${HTTPS_PROXY}
+  noProxy: ${NO_PROXY}
+EOF
+  fi
+
     cp "${outdir}/install-config.yaml" "${outdir}/install-config.yaml.save"
 }
 

proxy_cleanup.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+set -x
+
+source logging.sh
+source common.sh
+source validation.sh
+
+early_cleanup_validation
+
+sudo podman kill ds-squid || true

utils.sh

@@ -165,22 +165,6 @@ function create_cluster() {
     $OPENSHIFT_INSTALLER --dir "${assets_dir}" --log-level=debug create cluster 2>&1 | grep --line-buffered -v 'password\|X-Auth-Token\|UserData:'
 }
 
-function ipversion(){
-    if [[ $1 =~ : ]] ; then
-        echo 6
-        exit
-    fi
-    echo 4
-}
-
-function wrap_if_ipv6(){
-    if [ $(ipversion $1) == 6 ] ; then
-        echo "[$1]"
-        exit
-    fi
-    echo "$1"
-}
-
 function network_ip() {
     local network
     local rc
@@ -584,6 +568,21 @@ function wait_for_crd() {
   oc wait --for condition=established --timeout=60s "crd/$1" || exit 1
 }
 
+function generate_proxy_conf() {
+  if [[ "$PROVISIONING_NETWORK_PROFILE" != "Disabled" ]]; then
+    echo "acl all src ${PROVISIONING_NETWORK}"
+  fi
+
+  cat <<EOF
+acl all src ${EXT_SUBNET}
+http_access allow all
+http_port ${INSTALLER_PROXY_PORT}
+debug_options ALL,2
+dns_v4_first on
+coredump_dir /var/spool/squid
+EOF
+}
+
 _tmpfiles=
 function removetmp(){
     [ -n "$_tmpfiles" ] && rm -rf $_tmpfiles || true

vm_setup_vars.yml

@@ -54,7 +54,7 @@ provisioning_network:
 external_network:
   - name: "{{ baremetal_network_name }}"
     bridge: "{{ baremetal_network_name }}"
-    forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' }}"
+    forward_mode: "{{ 'bridge' if lookup('env', 'MANAGE_BR_BRIDGE') == 'n' else 'nat' if not lookup('env', 'INSTALLER_PROXY') else 'route'}}"
     address_v4: "{{ baremetal_network_cidr_v4|nthhost(1)|default('', true) }}"
     netmask_v4: "{{ baremetal_network_cidr_v4|ipaddr('netmask') }}"
     address_v6: "{{ baremetal_network_cidr_v6|nthhost(1)|default('', true) }}"