Added system IPs to services "NO_PROXY" list

When configuring the Docker proxy (see feature doc at https://docs.starlingx.io/configuration/docker_proxy_config.html), the system IPs should be added automatically to the "NO_PROXY" environment variable of services "docker" and "containerd". This configuration was lost long time ago during a code cleanup (review https://review.opendev.org/c/starlingx/config/+/703516 , file controllerconfig/controllerconfig/controllerconfig/configassistant.py , line 2286). This commit implements again the addition of system IPs to "NO_PROXY" list. Test Plan: PASS: Successfully deploy an IPv4 AIO-SX and an IPv6 AIO-DX with no bootstrap overrides. PASS: In the deployed IPv4 AIO-SX with no bootstrap overrides, apply the configuration below and verify that the pod "ceph-pools-audit" (executed every 5 minutes) continues working correctly: source /etc/platform/openrc system service-parameter-add docker proxy https_proxy=http://1.2.3.4:3128 system service-parameter-add docker proxy http_proxy=http://1.2.3.4:3128 system service-parameter-add docker proxy no_proxy="5.6.7.8" system service-parameter-apply docker PASS: Repeat the test above in the IPv6 AIO-DX with no bootstrap overrides. PASS: Successfully deploy an IPv4 AIO-SX and an IPv6 AIO-DX with Docker proxy bootstrap overrides. Verify that the environment variables for "docker" and "containerd" services (at /etc/systemd/system/docker.service.d/http-proxy.conf and /etc/systemd/system/containerd.service.d/http-proxy.conf) are correct. Verify that the pod "ceph-pools-audit" (executed every 5 minutes) continues working correctly. Partial-Bug: 2062079 Depends-On: https://review.opendev.org/c/starlingx/config/+/916019 Change-Id: I7691fab7c4e2ba813bac1bf71c0ed7d4c4432380 Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
2024-04-15 18:16:55 -03:00 · 2024-04-15 18:16:55 -03:00 · 937132aafb
parent 65ca94a953
commit 937132aafb
3 changed files with 80 additions and 14 deletions
--- a/puppet-manifests/src/modules/platform/manifests/containerd.pp
+++ b/puppet-manifests/src/modules/platform/manifests/containerd.pp
@ -18,12 +18,11 @@ class platform::containerd::proxyconfig{
  # inherit the proxy setting from docker
  $http_proxy = $::platform::docker::params::http_proxy
  $https_proxy = $::platform::docker::params::https_proxy
-  if $::platform::docker::params::no_proxy {
-    # Containerd doesn't work with the NO_PROXY environment
-    # variable if it has IPv6 addresses with square brackets,
-    # remove the square brackets
-    $no_proxy = regsubst($::platform::docker::params::no_proxy, '\\[|\\]', '', 'G')
-  }
+
+  # Containerd doesn't work with the NO_PROXY environment
+  # variable if it has IPv6 addresses with square brackets,
+  # remove the square brackets
+  $no_proxy = regsubst($::platform::docker::params::no_proxy_complete_list, '\\[|\\]', '', 'G')

  if $http_proxy or $https_proxy {
    file { '/etc/systemd/system/containerd.service.d':
@ -45,6 +44,15 @@ class platform::containerd::proxyconfig{
      logoutput   => true,
      refreshonly => true,
    } ~> Service['containerd']
+  } else {
+    file { '/etc/systemd/system/containerd.service.d/http-proxy.conf':
+      ensure  => absent,
+    }
+    ~> exec { 'perform systemctl daemon reload for containerd proxy':
+      command     => 'systemctl daemon-reload',
+      logoutput   => true,
+      refreshonly => true,
+    } ~> Service['containerd']
  }

  service { 'containerd':
--- a/puppet-manifests/src/modules/platform/manifests/docker.pp
+++ b/puppet-manifests/src/modules/platform/manifests/docker.pp
@ -24,19 +24,67 @@ class platform::docker::params (
  $ghcr_registry_secure        = true,
  $registryk8s_registry_secure = true,
  $icr_registry_secure         = true,
-) { }
+) {
+
+  include ::platform::network::oam::params
+  include ::platform::network::mgmt::params
+  include ::platform::network::cluster_host::params
+  include ::platform::kubernetes::params
+
+  if $::platform::network::mgmt::params::subnet_version == $::platform::params::ipv6 {
+    $localhost_address = '::1'
+  } else {
+    $localhost_address = '127.0.0.1'
+  }
+
+  if $::platform::params::system_mode == 'simplex' {
+    $no_proxy_unfiltered_list = @("EOL"/L)
+      localhost,${localhost_address},registry.local,\
+      ${platform::network::oam::params::gateway_address},\
+      ${platform::network::oam::params::controller_address},\
+      ${platform::network::oam::params::controller0_address},\
+      ${platform::network::mgmt::params::gateway_address},\
+      ${platform::network::mgmt::params::controller_address},\
+      ${platform::network::mgmt::params::controller0_address},\
+      ${platform::network::cluster_host::params::gateway_address},\
+      ${platform::network::cluster_host::params::controller_address},\
+      ${platform::network::cluster_host::params::controller0_address},\
+      ${platform::kubernetes::params::apiserver_cluster_ip},\
+      ${platform::kubernetes::params::dns_service_ip},\
+      cluster.local,${no_proxy}
+      | -EOL
+  } else {
+    $no_proxy_unfiltered_list = @("EOL"/L)
+      localhost,${localhost_address},registry.local,\
+      ${platform::network::oam::params::gateway_address},\
+      ${platform::network::oam::params::controller_address},\
+      ${platform::network::oam::params::controller0_address},\
+      ${platform::network::oam::params::controller1_address},\
+      ${platform::network::mgmt::params::gateway_address},\
+      ${platform::network::mgmt::params::controller_address},\
+      ${platform::network::mgmt::params::controller0_address},\
+      ${platform::network::mgmt::params::controller1_address},\
+      ${platform::network::cluster_host::params::gateway_address},\
+      ${platform::network::cluster_host::params::controller_address},\
+      ${platform::network::cluster_host::params::controller0_address},\
+      ${platform::network::cluster_host::params::controller1_address},\
+      ${platform::kubernetes::params::apiserver_cluster_ip},\
+      ${platform::kubernetes::params::dns_service_ip},\
+      cluster.local,${no_proxy}
+      | -EOL
+  }
+
+  # Remove duplicates.
+  $no_proxy_complete_list = split($no_proxy_unfiltered_list, ',').unique.join(',')
+}

 class platform::docker::proxyconfig
  inherits ::platform::docker::params {
  include ::platform::docker::install

-  if $::osfamily == 'Debian' {
-    if $::platform::docker::params::no_proxy {
-      # Docker on Debian doesn't work with the NO_PROXY environment variable if it
-      # has IPv6 addresses with square brackets, thus remove the square brackets
-      $no_proxy = regsubst($::platform::docker::params::no_proxy, '\\[|\\]', '', 'G')
-    }
-  }
+  # Docker on Debian doesn't work with the NO_PROXY environment variable if it
+  # has IPv6 addresses with square brackets, thus remove the square brackets
+  $no_proxy = regsubst($::platform::docker::params::no_proxy_complete_list, '\\[|\\]', '', 'G')

  if $http_proxy or $https_proxy {
    file { '/etc/systemd/system/docker.service.d':
@ -57,6 +105,15 @@ class platform::docker::proxyconfig
      logoutput   => true,
      refreshonly => true,
    } ~> Service['docker']
+  } else {
+    file { '/etc/systemd/system/docker.service.d/http-proxy.conf':
+      ensure  => absent,
+    }
+    ~> exec { 'perform systemctl daemon reload for docker proxy':
+      command     => 'systemctl daemon-reload',
+      logoutput   => true,
+      refreshonly => true,
+    } ~> Service['docker']
  }

  service { 'docker':
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@ -8,6 +8,7 @@ class platform::kubernetes::params (
  $kubelet_version = undef,
  $node_ip = undef,
  $service_domain = undef,
+  $apiserver_cluster_ip = undef,
  $dns_service_ip = undef,
  $host_labels = [],
  $k8s_cpuset = undef,