Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP proxy support #125

Closed
cbartz opened this issue Apr 16, 2024 · 9 comments
Closed

HTTP proxy support #125

cbartz opened this issue Apr 16, 2024 · 9 comments
Labels
enhancement New feature or request

Comments

@cbartz
Copy link

cbartz commented Apr 16, 2024

Describe the bug

The charm does not respect the juju http proxy variables when making requests to lets encrypt.

To Reproduce

We assume an environment where http requests have to go through a proxy and are otherwise blocked by the firewall.

  1. Set juju model-config juju-http-proxy="http-proxy-address"
  2. Integrate charm application via tls-certificate integration (e.g. with an nginx-ingress-integrator application)
  3. Observe in the juju debug-logs that the request to https://acme-v02.api.letsencrypt.org/directory times out.

Expected behavior

The lego request uses the http proxy, so either the request succeeds or the proxy returns a 403 forbidden.

It seems that LEGO supports http proxy via env variables (go-acme/lego#840).

Logs

unit-httprequest-lego-k8s-0: 09:51:43 INFO unit.httprequest-lego-k8s/0.juju-log Received Certificate Creation Request for domain example.com
unit-httprequest-lego-k8s-0: 09:52:13 ERROR unit.httprequest-lego-k8s/0.juju-log Exited with code 1. Stderr:
unit-httprequest-lego-k8s-0: 09:52:13 ERROR unit.httprequest-lego-k8s/0.juju-log     2024/04/16 09:52:13 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: i/o timeout
unit-httprequest-lego-k8s-0: 09:52:13 ERROR unit.httprequest-lego-k8s/0.juju-log Failed to execute lego command                 will try again in during the next update status event.

Environment

  • Charm / library version (if relevant):
  • Juju version (output from juju --version):
Model                             Controller         Cloud/Region             Version  SLA          Timestamp
github-runner-webhook-router      k8s                k8s/default              3.1.8    unsupported  09:56:50Z

App                           Version  Status  Scale  Charm                         Channel  Rev  Address       Exposed  Message
github-runner-webhook-router           active      1  github-runner-webhook-router  edge       3  10.0.5.1  no       
httprequest-lego-k8s                   active      1  httprequest-lego-k8s          edge      70  10.0.5.2  no       
nginx-ingress-integrator      24.2.0   active      1  nginx-ingress-integrator      edge      84  10.0.5.3  no       Ingress IP(s): 10.100.0.135
  • Kubernetes version (output from kubectl version --short):
Client Version: v1.29.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.26.15
@cbartz cbartz added the bug Something isn't working label Apr 16, 2024
@gruyaume gruyaume added enhancement New feature or request and removed bug Something isn't working labels Apr 17, 2024
@gruyaume
Copy link
Contributor

Hello @cbartz, thank you for opening this issue. You are correct that httprequest does not read or do anything with this juju level config. We will have to investigate the value and effort related to implementing this feature. Is this something that is needed for an existing use case?

@cbartz
Copy link
Author

cbartz commented Apr 22, 2024

Hi @gruyaume, this is required for deployment in an infrastructure with limited access to the outside world (hence proxy access required) See also this discourse post.

@mcarvalhor
Copy link
Member

It would be better to have a charm config for proxy instead of using juju model-config

@shipperizer
Copy link

allegedly go supports the HTTP_PROXY variables from the environment when using the http.Client, worth giving it a shot when setting the pebble layer

effort should be small in this case @gruyaume

@mthaddon
Copy link
Contributor

It would be better to have a charm config for proxy instead of using juju model-config

I'm not sure I agree that this should be separate charm configuration. In the IS DevOps team we've certainly been working on the understanding that if a charm needs to support a proxy the right way for us to do that is to use model-config proxy variables. This way it's consistent across every charm rather than being done differently in different places.

@gruyaume
Copy link
Contributor

@mthaddon do you have example of charms who handle this in the way you recommend?

@mcarvalhor
Copy link
Member

@mthaddon Makes sense.

I was thinking of the scenario: 1 application needs proxy, other should not use proxy (on the same model).
But I think that's why we have no-proxy anyway: we just have to document it properly.

@cbartz
Copy link
Author

cbartz commented Jun 21, 2024

@mthaddon do you have example of charms who handle this in the way you recommend?

@gruyaume

For example:

And probably more...

@gruyaume gruyaume mentioned this issue Jun 25, 2024
Closed
@saltiyazan
Copy link
Contributor

saltiyazan commented Jun 28, 2024
edited
Loading

Fixed by canonical/lego-base-k8s-operator#143 and #178

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcarvalhor @shipperizer @mthaddon @cbartz @gruyaume @saltiyazan