Bug 1752725: Log into kibana console get 504 Gateway Time-out The server didn't respond in time. when http_proxy enabled

hack/common

@@ -189,6 +189,48 @@ function push_image() {
     skopeo copy --dest-tls-verify=false docker-daemon:"$1" docker://"$2"
 }
 
+# debug_print [max_count [interval]]
+# Example usage in hack/testing/test-*.sh
+#    debug_print &
+#    TEST_NAMESPACE=${NAMESPACE} go test ./test/e2e/ \
+#      -root=$(pwd) \
+#      -kubeconfig=${KUBECONFIG} \
+#      -globalMan ${global_manifest} \
+#      -namespacedMan ${manifest} \
+#      -v \
+#      -parallel=1 \
+#      -singleNamespace | tee -a $ARTIFACT_DIR/test.log
+#
+function debug_print() {
+  local filename=$(basename "$0")
+  local max=${1:-120}
+  local interval=${2:-10}
+  while [ $max -gt 0 ];
+  do
+    clo=$( oc -n ${NAMESPACE} get pods -l name=cluster-logging-operator -o jsonpath='{.items[0].metadata.name}' )
+    if [ -n "$clo" ]; then
+        date >> $ARTIFACT_DIR/$filename.clo.log || :
+        oc -n ${NAMESPACE} logs $clo >> $ARTIFACT_DIR/$filename.clo.log || :
+        echo "-------------------------------------------------" >> $ARTIFACT_DIR/$filename.clo.log || :
+        date >> $ARTIFACT_DIR/$filename.clo.images || :
+        oc -n ${NAMESPACE} exec $clo -- env | egrep _IMAGE >> $ARTIFACT_DIR/$filename.clo.images || :
+        echo "-------------------------------------------------" >> $ARTIFACT_DIR/$filename.clo.images || :
+    else
+        date >> $ARTIFACT_DIR/$filename.noclo.log || :
+        oc -n ${NAMESPACE} get deployments >> $ARTIFACT_DIR/$filename.noclo.log || :
+        echo "-------------------------------------------------" >> $ARTIFACT_DIR/$filename.noclo.log || :
+    fi
+    date >> $ARTIFACT_DIR/$filename.events.log || :
+    oc -n ${NAMESPACE} get events >> $ARTIFACT_DIR/$filename.events.log || :
+    echo "-------------------------------------------------" >> $ARTIFACT_DIR/$filename.events.log || :
+    date >> $ARTIFACT_DIR/$filename.all.log || :
+    oc -n ${NAMESPACE} get all >> $ARTIFACT_DIR/$filename.all.log || :
+    echo "-------------------------------------------------" >> $ARTIFACT_DIR/$filename.all.log || :
+    sleep $interval
+    max=$( expr $max - 1 ) || :
+  done
+}
+
 if [ $REMOTE_REGISTRY = false ] ; then
     : # skip
 else

manifests/4.3/cluster-logging.v4.3.0.clusterserviceversion.yaml

@@ -25,7 +25,7 @@ metadata:
             "metadata": {
               "name": "instance",
               "namespace": "openshift-logging"
-              },
+            },
             "spec": {
               "managementState": "Managed",
               "logStore": {
@@ -36,8 +36,8 @@ metadata:
                   "storage": {
                     "storageClassName": "gp2",
                     "size": "200G"
-                    }
                   }
+                }
               },
               "visualization": {
                 "type": "kibana",

pkg/constants/constants.go

@@ -0,0 +1,21 @@
+package constants
+
+const (
+	SingletonName = "instance"
+	OpenshiftNS   = "openshift-logging"
+	// global proxy / trusted ca bundle consts
+	ProxyName                  = "cluster"
+	TrustedCABundleKey         = "ca-bundle.crt"
+	InjectTrustedCABundleLabel = "config.openshift.io/inject-trusted-cabundle"
+	TrustedCABundleMountFile   = "tls-ca-bundle.pem"
+	TrustedCABundleMountDir    = "/etc/pki/ca-trust/extracted/pem/"
+	TrustedCABundleHashName    = "logging.openshift.io/hash"
+	FluentdTrustedCAName       = "fluentd-trusted-ca-bundle"
+	KibanaTrustedCAName        = "kibana-trusted-ca-bundle"
+	// internal elasticsearch FQDN to prevent to connect to the global proxy
+	ElasticsearchFQDN = "elasticsearch.openshift-logging.svc.cluster.local"
+	ElasticsearchPort = "9200"
+	LogStoreService   = ElasticsearchFQDN + ":" + ElasticsearchPort
+)
+
+var ReconcileForGlobalProxyList = []string{FluentdTrustedCAName, KibanaTrustedCAName}

pkg/controller/add_controllers.go

@@ -4,9 +4,10 @@ import (
 	"github.com/openshift/cluster-logging-operator/pkg/controller/clusterlogging"
 	"github.com/openshift/cluster-logging-operator/pkg/controller/collector"
 	"github.com/openshift/cluster-logging-operator/pkg/controller/forwarding"
+	"github.com/openshift/cluster-logging-operator/pkg/controller/proxyconfig"
 )
 
 func init() {
 	// AddToManagerFuncs is a list of functions to create controllers and add them to a manager.
-	AddToManagerFuncs = append(AddToManagerFuncs, clusterlogging.Add, forwarding.Add, collector.Add)
+	AddToManagerFuncs = append(AddToManagerFuncs, clusterlogging.Add, forwarding.Add, collector.Add, proxyconfig.Add)
 }

pkg/controller/clusterlogging/clusterlogging_controller.go

@@ -6,7 +6,9 @@ import (
 
 	loggingv1 "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1"
 	logforwarding "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1alpha1"
+	"github.com/openshift/cluster-logging-operator/pkg/constants"
 	"github.com/openshift/cluster-logging-operator/pkg/k8shandler"
+	"github.com/sirupsen/logrus"
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -23,9 +25,7 @@ import (
 var log = logf.Log.WithName("controller_clusterlogging")
 
 const (
-	singletonName    = "instance"
 	singletonMessage = "ClusterLogging is a singleton. Only an instance named 'instance' is allowed"
-	openshiftNS      = "openshift-logging"
 )
 
 // Add creates a new ClusterLogging Controller and adds it to the Manager. The Manager will set fields on the Controller
@@ -76,6 +76,11 @@ var (
 // The Controller will requeue the Request to be processed again if the returned error is non-nil or
 // Result.Requeue is true, otherwise upon completion it will remove the work from the queue.
 func (r *ReconcileClusterLogging) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	if request.Name != constants.SingletonName {
+		// TODO: update status
+		return reconcile.Result{}, nil
+	}
+	logrus.Debugf("Clusterlogging reconcile request.Name: '%s'", request.Name)
 	// Fetch the ClusterLogging instance
 	instance := &loggingv1.ClusterLogging{}
 	err := r.client.Get(context.TODO(), request.NamespacedName, instance)
@@ -90,18 +95,12 @@ func (r *ReconcileClusterLogging) Reconcile(request reconcile.Request) (reconcil
 		return reconcile.Result{}, err
 	}
 
-	if instance.Name != singletonName {
-		// TODO: update status
-
-		return reconcile.Result{}, nil
-	}
-
 	if instance.Spec.ManagementState == loggingv1.ManagementStateUnmanaged {
 		return reconcile.Result{}, nil
 	}
 
 	forwardinginstance := &logforwarding.LogForwarding{}
-	fiName := types.NamespacedName{Name: singletonName, Namespace: openshiftNS}
+	fiName := types.NamespacedName{Name: constants.SingletonName, Namespace: constants.OpenshiftNS}
 	err = r.client.Get(context.TODO(), fiName, forwardinginstance)
 	if err != nil && !errors.IsNotFound(err) {
 		// Request object not found, could have been deleted after reconcile request.

pkg/controller/collector/collector_controller.go

@@ -6,6 +6,7 @@ import (
 
 	loggingv1 "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1"
 	collector "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1alpha1"
+	"github.com/openshift/cluster-logging-operator/pkg/constants"
 	"github.com/openshift/cluster-logging-operator/pkg/k8shandler"
 	"github.com/openshift/cluster-logging-operator/pkg/logger"
 	"github.com/openshift/cluster-logging-operator/pkg/utils"
@@ -25,10 +26,7 @@ import (
 var log = logf.Log.WithName("controller_collector")
 
 const (
-	singletonName    = "instance"
-	singletonMessage = "Collector is a singleton. Only an instance named 'instance' is allowed"
-	openshiftNS      = "openshift-logging"
-
+	singletonMessage   = "Collector is a singleton. Only an instance named 'instance' is allowed"
 	promtailAnnotation = "clusterlogging.openshift.io/promtaildevpreview"
 )
 
@@ -101,10 +99,10 @@ func (r *ReconcileCollector) Reconcile(request reconcile.Request) (reconcile.Res
 
 	//check for instancename and then update status
 	var reconcileErr error = nil
-	if instance.Name == singletonName && value == "enabled" {
+	if instance.Name == constants.SingletonName && value == "enabled" {
 
 		clInstance := &loggingv1.ClusterLogging{}
-		clName := types.NamespacedName{Name: singletonName, Namespace: openshiftNS}
+		clName := types.NamespacedName{Name: constants.SingletonName, Namespace: constants.OpenshiftNS}
 		err = r.client.Get(context.TODO(), clName, clInstance)
 		if err != nil && !errors.IsNotFound(err) {
 			// Request object not found, could have been deleted after reconcile request.

pkg/controller/forwarding/forwarding_controller.go

@@ -6,6 +6,7 @@ import (
 
 	loggingv1 "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1"
 	logforwarding "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1alpha1"
+	"github.com/openshift/cluster-logging-operator/pkg/constants"
 	"github.com/openshift/cluster-logging-operator/pkg/k8shandler"
 	"github.com/openshift/cluster-logging-operator/pkg/logger"
 
@@ -24,9 +25,7 @@ import (
 var log = logf.Log.WithName("controller_forwarding")
 
 const (
-	singletonName    = "instance"
 	singletonMessage = "LogForwarding is a singleton. Only an instance named 'instance' is allowed"
-	openshiftNS      = "openshift-logging"
 )
 
 // Add creates a new Controller and adds it to the Manager. The Manager will set fields on the Controller
@@ -97,14 +96,14 @@ func (r *ReconcileForwarding) Reconcile(request reconcile.Request) (reconcile.Re
 
 	//check for instancename and then update status
 	var reconcileErr error = nil
-	if instance.Name != singletonName {
+	if instance.Name != constants.SingletonName {
 		instance.Status = logforwarding.NewForwardingStatus(logforwarding.LogForwardingStateRejected, logforwarding.LogForwardingReasonName, singletonMessage)
 	} else {
 		instance.Status = logforwarding.NewForwardingStatus(logforwarding.LogForwardingStateAccepted, logforwarding.LogForwardingReasonName, "")
 
 		logger.Debug("logforwarding-controller fetching ClusterLogging instance...")
 		clInstance := &loggingv1.ClusterLogging{}
-		clName := types.NamespacedName{Name: singletonName, Namespace: openshiftNS}
+		clName := types.NamespacedName{Name: constants.SingletonName, Namespace: constants.OpenshiftNS}
 		err = r.client.Get(context.TODO(), clName, clInstance)
 		if err != nil && !errors.IsNotFound(err) {
 			// Request object not found, could have been deleted after reconcile request.

pkg/controller/proxyconfig/proxyconfig_controller.go

@@ -0,0 +1,156 @@
+package proxyconfig
+
+import (
+	"context"
+	"time"
+
+	configv1 "github.com/openshift/api/config/v1"
+	loggingv1 "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1"
+	logforwarding "github.com/openshift/cluster-logging-operator/pkg/apis/logging/v1alpha1"
+	"github.com/openshift/cluster-logging-operator/pkg/constants"
+	"github.com/openshift/cluster-logging-operator/pkg/k8shandler"
+	"github.com/openshift/cluster-logging-operator/pkg/utils"
+	"github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+)
+
+var (
+	log             = logf.Log.WithName("controller_proxyconfig")
+	reconcilePeriod = 30 * time.Second
+	reconcileResult = reconcile.Result{RequeueAfter: reconcilePeriod}
+)
+
+// Add creates a new ClusterLogging Controller and adds it to the Manager. The Manager will set fields on the Controller
+// and Start it when the Manager is Started.
+func Add(mgr manager.Manager) error {
+	return add(mgr, newReconciler(mgr))
+}
+
+// newReconciler returns a new reconcile.Reconciler
+func newReconciler(mgr manager.Manager) reconcile.Reconciler {
+	if err := configv1.Install(mgr.GetScheme()); err != nil {
+		return &ReconcileProxyConfig{}
+	}
+
+	return &ReconcileProxyConfig{client: mgr.GetClient(), scheme: mgr.GetScheme()}
+}
+
+// add adds a new Controller to mgr with r as the reconcile.Reconciler
+func add(mgr manager.Manager, r reconcile.Reconciler) error {
+	// Create a new controller
+	c, err := controller.New("proxyconfig-controller", mgr, controller.Options{Reconciler: r})
+	if err != nil {
+		return err
+	}
+
+	// Watch for changes to the additional trust bundle configmap in "openshift-logging".
+	pred := predicate.Funcs{
+		UpdateFunc:  func(e event.UpdateEvent) bool { return handleConfigMap(e.MetaNew) },
+		DeleteFunc:  func(e event.DeleteEvent) bool { return handleConfigMap(e.Meta) },
+		CreateFunc:  func(e event.CreateEvent) bool { return handleConfigMap(e.Meta) },
+		GenericFunc: func(e event.GenericEvent) bool { return handleConfigMap(e.Meta) },
+	}
+	if err = c.Watch(&source.Kind{Type: &corev1.ConfigMap{}}, &handler.EnqueueRequestForObject{}, pred); err != nil {
+		return err
+	}
+
+	// Watch for changes to the proxy resource.
+	if err = c.Watch(&source.Kind{Type: &configv1.Proxy{}}, &handler.EnqueueRequestForObject{}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+var _ reconcile.Reconciler = &ReconcileProxyConfig{}
+
+// ReconcileProxyConfig reconciles a ClusterLogging object
+type ReconcileProxyConfig struct {
+	// This client, initialized using mgr.Client() above, is a split client
+	// that reads objects from the cache and writes to the apiserver
+	client client.Client
+	scheme *runtime.Scheme
+}
+
+// Reconcile reads that state of the cluster for a cluster-scoped named "cluster" as well as
+// trusted CA bundle configmap objects for the collector and the visualization resources.
+// When the user configured and/or system certs are updated, the change is propagated to the
+// configmap objects and this reconciler triggers to restart those pods.
+func (r *ReconcileProxyConfig) Reconcile(request reconcile.Request) (reconcile.Result, error) {
+	loggingNamespacedName := types.NamespacedName{Name: constants.SingletonName, Namespace: constants.OpenshiftNS}
+	proxyNamespacedName := types.NamespacedName{Name: constants.ProxyName}
+	var proxyConfig *configv1.Proxy = nil
+	var trustBundle *corev1.ConfigMap = nil
+	if request.NamespacedName == proxyNamespacedName {
+		proxyConfig = &configv1.Proxy{}
+		if err := r.client.Get(context.TODO(), request.NamespacedName, proxyConfig); err != nil {
+			if apierrors.IsNotFound(err) {
+				// Request object not found, could have been deleted after reconcile request.
+				// Return and don't requeue
+				return reconcile.Result{}, nil
+			}
+			// Error reading the object - just return without requeuing.
+			return reconcile.Result{}, err
+		}
+	} else if utils.ContainsString(constants.ReconcileForGlobalProxyList, request.Name) {
+		trustBundle = &corev1.ConfigMap{}
+		logrus.Debugf("Trust bundle configmap reconcile request.Namespace/request.Name: '%s/%s'", request.Namespace, request.Name)
+		if err := r.client.Get(context.TODO(), loggingNamespacedName, trustBundle); err != nil {
+			if !apierrors.IsNotFound(err) {
+				// Error reading the object - just return without requeuing.
+				return reconcile.Result{}, err
+			}
+		}
+	} else {
+		return reconcile.Result{}, nil
+	}
+
+	// Fetch the ClusterLogging instance
+	instance := &loggingv1.ClusterLogging{}
+	if err := r.client.Get(context.TODO(), loggingNamespacedName, instance); err != nil {
+		if apierrors.IsNotFound(err) {
+			// Request object not found, could have been deleted after reconcile request.
+			// Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
+			// Return and don't requeue
+			return reconcile.Result{}, nil
+		}
+		// Error reading the object - just return without requeuing.
+		return reconcile.Result{}, err
+	}
+
+	if instance.Spec.ManagementState == loggingv1.ManagementStateUnmanaged {
+		return reconcile.Result{}, nil
+	}
+
+	forwardinginstance := &logforwarding.LogForwarding{}
+	err := r.client.Get(context.TODO(), loggingNamespacedName, forwardinginstance)
+	if err != nil && !apierrors.IsNotFound(err) {
+		// Error reading the object - just return without requeuing.
+		return reconcile.Result{}, err
+	}
+
+	if err := k8shandler.ReconcileForGlobalProxy(instance, forwardinginstance, proxyConfig, trustBundle, r.client); err != nil {
+		// Failed to reconcile - requeuing.
+		return reconcileResult, err
+	}
+
+	return reconcile.Result{}, nil
+}
+
+// handleConfigMap returns true if meta namespace is "openshift-logging".
+func handleConfigMap(meta metav1.Object) bool {
+	return meta.GetNamespace() == constants.OpenshiftNS && utils.ContainsString(constants.ReconcileForGlobalProxyList, meta.GetName())
+}