Merge pull request openshift#1171 from alvaroaleman/update-net

Hypershift networking: Add oauth server and detail socks5 proxy
cybertron · Jul 7, 2022 · 94e20e5 · 94e20e5
2 parents 2b7a790 + 38d68b1
commit 94e20e5
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/enhancements/hypershift/networking/networking.md b/enhancements/hypershift/networking/networking.md
@@ -8,7 +8,7 @@ authors:
   - "@alvaroaleman"
   - "@ironcladlou"
   - "@derekwaynecarr"
-  
+
 reviewers:
   - "@csrwng"
   - "@enxebre"
@@ -43,7 +43,7 @@ This proposal fleshes out the details for the current networking solution for Hy
 
 ## Motivation
 
-HyperShift differs from standalone OCP in that the components that run in the Hosted Control Plane (HCP) on the management cluster are not on the same cluster service network as the components that run on guest cluster nodes.  
+HyperShift differs from standalone OCP in that the components that run in the Hosted Control Plane (HCP) on the management cluster are not on the same cluster service network as the components that run on guest cluster nodes.
 Challenges include but not limited to:
 - KAS access to kubelets.
 - KAS access to aggregated API servers.
@@ -100,13 +100,22 @@ egressSelections:
 ```
 
 #### konnectivity-socks5-proxy
-Konnectivity, at its core, is just a socks5 proxy.
-HyperShift has [a binary](https://github.com/openshift/hypershift/tree/main/konnectivity-socks5-proxy) that can be used as a sidecar that provides the main workload to access the guest service network over as the KAS does (KAS has this proxy built in and is configured with the EgressSelectorConfiguration).
-Workload is configured to use the proxy with envvars GRPC_PROXY, HTTPS_PROXY, NO_PROXY, etc.
+
+For components that do not natively support Konnectivity, Hypershift has a [sidecar](https://github.com/openshift/hypershift/tree/main/konnectivity-socks5-proxy)
+that provides a socks5 proxy that can be used by configuring the `HTTP{,S}_PROXY` and `NO_PROXY` env vars. The sidecar
+* Authenticates to Konnectivity
+* Does DNS resolving of guest cluster services
+* Excempts cloud provider traffic from going through Konnectivity, in order to support management clusters that have a proxy setup, as the components themselves
+  already have the sidecar as target in their proxy environment variables
+
+Despite being a socks5 proxy, the sidecar only supports TCP and not UDP, as it routes over Konnectivity through http connect. It is a socks5 proxy to allow
+supporting DNS resolving, which is not supported by http connect or Konnectivity itself.
+
 Current components that use this are :
 - OLM packageserver.
 - OLM operator.
 - openshift-apiserver.
+- oauth-server
 
 ### Guest pod service access to KAS
 Pods regularly use `kubernetes.default.svc` to contact the KAS. However, the KAS does not exist on the guest pod service network.
@@ -131,15 +140,15 @@ kubernetes   172.20.0.1:6443   3h59m
        valid_lft forever preferred_lft forever
     inet 172.20.0.1/32 brd 172.20.0.1 scope host lo
        valid_lft forever preferred_lft forever
-    inet6 ::1/128 scope host 
+    inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
 
 ```
 
 #### haproxy daemonset for proxying traffic to KAS
 
 ```shell
-# cat haproxy.cfg 
+# cat haproxy.cfg
 global
 ...
 
@@ -260,4 +269,4 @@ TODO (flesh out).
 ### Graduation Criteria
 
 ## Implementation History
-The initial version of this doc represents implementation as delivered via MCE tech preview.
+The initial version of this doc represents implementation as delivered via MCE tech preview.