Share via

Bug in proxy support for arc connectedk8s command and subcommand

ESNAUD Gregory 1 Reputation point
2022-05-13T10:10:27.363+00:00

Hello community!

I'm reaching you to open a bug in proxy support in az connectedk8s connect command.
This is blocking us a lot.

#First point:
I just discovered that arguments --proxy-http and --proxy-https are completely ignored as well as HTTP(S)_PROXY or http(s)_proxy environment variables.

  • Give an corporate infrastructure with a mandatory proxy to go on Internet resource
  • Give a GNU/Linux laptop with unsetted HTTP_PROXY, HTTPS_PROXY, http_proxy or https_proxy
  • Give the command az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080

Here the result:
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080
<urllib3.connection.HTTPSConnection object at 0x7f0724c5c190>: Failed to establish a new connection: [Errno -2] Name or service not known

####Now I'm setting up HTTP(S)_PROXY environment
$ export HTTP_PROXY=http://my.corporate.proxy:8080
$ export HTTS_PROXY=http://my.corporate.proxy:8080

####Kubectl is able to connect, so my network is correctly setted up
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.0.0.2 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.27 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.29 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.33 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.47 Ready <none> 41h v1.21.7-r0-CCE21.12.1.B004

####Now az-cli turn... Will it be as smart as kubectl??
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080
This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.xx.xx', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fbfe3ed4f40>: Failed to establish a new connection: [Errno 110] Connection timed out'))

####Nevermind, take other chance w/o --proxy-http and --proxy-https:
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name -n fancy-k8s-arc-name
This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.xxx.xxx', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f003bfd9f40>: Failed to establish a new connection: [Errno 110] Connection timed out'))

Here we are... az connectedk8s does not take care of proxy configuration in any manners!!
How i'm now supposed to deal with??

#Second point:
Why on earth Microsoft add proxy support for az connectedk8s connect (even if not working) and not for subcommand like az connectedk8s enable-features ?????
There's no parameter for this last one for specifying proxy (https://learn.microsoft.com/fr-fr/cli/azure/connectedk8s?view=azure-cli-latest#az-connectedk8s-enable-features)

And look at the result then:

$ az connectedk8s enable-features --features custom-locations \ --custom-locations-oid ${SP_OBJECT_ID} \ -g ${RESOURCE_GROUP}\ -n ${CLUSTER_NAME} ${AZ_OUTPUT_OPTION}

WARNING: The underlying Active Directory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://learn.microsoft.com/cli/azure/microsoft-graph-migration
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
This operation might take a while...

Enabling 'custom-locations' feature will enable 'cluster-connect' feature too.
Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.176.186', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f89c93daca0>: Failed to establish a new connection: [Errno 110] Connection timed out'))

Here we are again... even if az connectedk8s was taking care of proxy configuration, i'm now stuck with other sub-command... !!!!!
How i'm now supposed to deal with again !??

That's a shame Microsoft is not testing better its tool.......

Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
434 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,138 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 26,316 Reputation points
    2022-05-18T10:35:54.533+00:00

    @ESNAUD Gregory

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Firstly, apologies for the delay in responding and to hear about your experience regarding this issue. I checked with internal team on this.

    The arguments –proxy-https , --proxy-http are not for setting the proxy environmental variables for AZ CLI. They are for setting the env variables in the azure arc agents in your Kubernetes cluster if your cluster is behind an outbound proxy. They are not for setting the env variables on the machine where you are running the az cli (when the machine also is behind a proxy).

    In this document, Under AZure CLI point #1 is for setting Azure CLI behind proxy, point #2 is for sending the proxy server details to the connect command to set those env variables on the arc agents in the cluster. (feedback has been provided to document author to add these details to the document to avoid confusion). Please check the Note section in the document as it mentions about passing –proxy-skip-range as well which you would need in case your Kubernetes cluster is behind proxy as well.

    Regarding the “az connectedk8s enable-features“, same as explained above applies here. –proxy-https and –proxy-http are for the agents in the k8s cluster and not for the AZ CLI command itself. Incase your cluster is behind a proxy, you can either send the parameters while onboarding as mentioned in #2 in here.
    You can also update your existing cluster by running below command: 

    az connectedk8s update -g <rg> -n <clustername>  --proxy-http <url> --proxy-http <url> --proxy-skip-range <cidr range>

    After this you can run the az connectedk8s enable-features to enable and disable features.

    Coming to running the az cli command behind a proxy which I believe is the main error that you are facing here, for running any az cli command (for e.g az connectedk8s connect) on a machine that is behind an outbound proxy, you need to set the following variables HTTPS_PROXY, HTTP_PROXY.
    Incase your proxy is doing cert authentication you can follow the steps here.

    In the issue details you shared, I can see that you have set HTTS_PROXY instead of HTTPS_PROXY.

    203182-image.png

    Could you set the appropriate values and try the command again?
    Try and let me know if you need any help on this.

    Hope that helps.
    Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.