Bug 2030628: [release-4.7] Respect noProxy

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/prometheus/client_golang v1.7.1
 	github.com/prometheus/client_model v0.2.0
 	github.com/spf13/cobra v1.1.1
+	golang.org/x/net v0.0.0-20210224082022-3d97a244fca7
 	golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e
 	k8s.io/api v0.20.7
 	k8s.io/apiextensions-apiserver v0.20.7

go.sum

@@ -597,6 +597,8 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM=
+golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -652,6 +654,9 @@ golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

pkg/cincinnati/cincinnati.go

@@ -2,7 +2,6 @@ package cincinnati
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -12,6 +11,7 @@ import (
 
 	"github.com/blang/semver/v4"
 	"github.com/google/uuid"
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -27,13 +27,12 @@ const (
 // an upstream Cincinnati stack.
 type Client struct {
 	id        uuid.UUID
-	proxyURL  *url.URL
-	tlsConfig *tls.Config
+	transport *http.Transport
 }
 
 // NewClient creates a new Cincinnati client with the given client identifier.
-func NewClient(id uuid.UUID, proxyURL *url.URL, tlsConfig *tls.Config) Client {
-	return Client{id: id, proxyURL: proxyURL, tlsConfig: tlsConfig}
+func NewClient(id uuid.UUID, transport *http.Transport) Client {
+	return Client{id: id, transport: transport}
 }
 
 // Update is a single node from the update graph.
@@ -65,7 +64,6 @@ func (err *Error) Error() string {
 // image can be downloaded.
 func (c Client) GetUpdates(ctx context.Context, uri *url.URL, arch string, channel string, version semver.Version) (Update, []Update, error) {
 	var current Update
-	transport := http.Transport{}
 	// Prepare parametrized cincinnati query.
 	queryParams := uri.Query()
 	queryParams.Add("arch", arch)
@@ -80,15 +78,25 @@ func (c Client) GetUpdates(ctx context.Context, uri *url.URL, arch string, chann
 		return current, nil, &Error{Reason: "InvalidRequest", Message: err.Error(), cause: err}
 	}
 	req.Header.Add("Accept", GraphMediaType)
-	if c.tlsConfig != nil {
-		transport.TLSClientConfig = c.tlsConfig
+	if c.transport != nil && c.transport.TLSClientConfig != nil {
+		if c.transport.TLSClientConfig.ClientCAs == nil {
+			klog.V(5).Infof("Using a root CA pool with 0 root CA subjects to request updates from %s", uri)
+		} else {
+			klog.V(5).Infof("Using a root CA pool with %n root CA subjects to request updates from %s", len(c.transport.TLSClientConfig.RootCAs.Subjects()), uri)
+		}
 	}
 
-	if c.proxyURL != nil {
-		transport.Proxy = http.ProxyURL(c.proxyURL)
+	if c.transport != nil && c.transport.Proxy != nil {
+		proxy, err := c.transport.Proxy(req)
+		if err == nil && proxy != nil {
+			klog.V(5).Infof("Using proxy %s to request updates from %s", proxy.Host, uri)
+		}
 	}
 
-	client := http.Client{Transport: &transport}
+	client := http.Client{}
+	if c.transport != nil {
+		client.Transport = c.transport
+	}
 	timeoutCtx, cancel := context.WithTimeout(ctx, getUpdatesTimeout)
 	defer cancel()
 	resp, err := client.Do(req.WithContext(timeoutCtx))

pkg/cincinnati/cincinnati_test.go

@@ -2,7 +2,6 @@ package cincinnati
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -120,10 +119,8 @@ func TestGetUpdates(t *testing.T) {
 
 			ts := httptest.NewServer(http.HandlerFunc(handler))
 			defer ts.Close()
-			var proxyURL *url.URL
-			var tlsConfig *tls.Config
 
-			c := NewClient(clientID, proxyURL, tlsConfig)
+			c := NewClient(clientID, nil)
 
 			uri, err := url.Parse(ts.URL)
 			if err != nil {

pkg/cvo/availableupdates.go

@@ -2,8 +2,8 @@ package cvo
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
+	"net/http"
 	"net/url"
 	"runtime"
 	"sort"
@@ -43,12 +43,12 @@ func (optr *Operator) syncAvailableUpdates(ctx context.Context, config *configv1
 		return nil
 	}
 
-	proxyURL, tlsConfig, err := optr.getTransportOpts()
+	transport, err := optr.getTransport()
 	if err != nil {
 		return err
 	}
 
-	current, updates, condition := calculateAvailableUpdatesStatus(ctx, string(config.Spec.ClusterID), proxyURL, tlsConfig, upstream, arch, channel, optr.release.Version)
+	current, updates, condition := calculateAvailableUpdatesStatus(ctx, string(config.Spec.ClusterID), transport, upstream, arch, channel, optr.release.Version)
 
 	if usedDefaultUpstream {
 		upstream = ""
@@ -144,7 +144,7 @@ func (optr *Operator) getAvailableUpdates() *availableUpdates {
 	return optr.availableUpdates
 }
 
-func calculateAvailableUpdatesStatus(ctx context.Context, clusterID string, proxyURL *url.URL, tlsConfig *tls.Config, upstream, arch, channel, version string) (configv1.Release, []configv1.Release, configv1.ClusterOperatorStatusCondition) {
+func calculateAvailableUpdatesStatus(ctx context.Context, clusterID string, transport *http.Transport, upstream, arch, channel, version string) (configv1.Release, []configv1.Release, configv1.ClusterOperatorStatusCondition) {
 	var cvoCurrent configv1.Release
 	if len(upstream) == 0 {
 		return cvoCurrent, nil, configv1.ClusterOperatorStatusCondition{
@@ -199,7 +199,7 @@ func calculateAvailableUpdatesStatus(ctx context.Context, clusterID string, prox
 		}
 	}
 
-	current, updates, err := cincinnati.NewClient(uuid, proxyURL, tlsConfig).GetUpdates(ctx, upstreamURI, arch, channel, currentVersion)
+	current, updates, err := cincinnati.NewClient(uuid, transport).GetUpdates(ctx, upstreamURI, arch, channel, currentVersion)
 	if err != nil {
 		klog.V(2).Infof("Upstream server %s could not return available updates: %v", upstream, err)
 		if updateError, ok := err.(*cincinnati.Error); ok {

pkg/cvo/cvo.go

@@ -2,10 +2,8 @@ package cvo
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"net/http"
-	"net/url"
 	"strconv"
 	"sync"
 	"time"
@@ -829,14 +827,10 @@ func (optr *Operator) defaultPreconditionChecks() precondition.List {
 // HTTPClient provides a method for generating an HTTP client
 // with the proxy and trust settings, if set in the cluster.
 func (optr *Operator) HTTPClient() (*http.Client, error) {
-	proxyURL, tlsConfig, err := optr.getTransportOpts()
+	transportOption, err := optr.getTransport()
 	if err != nil {
 		return nil, err
 	}
-	transportOption := &http.Transport{
-		Proxy:           http.ProxyURL(proxyURL),
-		TLSClientConfig: tlsConfig,
-	}
 	transportConfig := &transport.Config{Transport: transportOption}
 	transport, err := transport.New(transportConfig)
 	if err != nil {
@@ -846,19 +840,3 @@ func (optr *Operator) HTTPClient() (*http.Client, error) {
 		Transport: transport,
 	}, nil
 }
-
-// getTransportOpts retrieves the URL of the cluster proxy and the CA
-// trust, if they exist.
-func (optr *Operator) getTransportOpts() (*url.URL, *tls.Config, error) {
-	proxyURL, err := optr.getHTTPSProxyURL()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	var tlsConfig *tls.Config
-	tlsConfig, err = optr.getTLSConfig()
-	if err != nil {
-		return nil, nil, err
-	}
-	return proxyURL, tlsConfig, nil
-}