question

ESNAUDGregory-2685 avatar image
0 Votes"
ESNAUDGregory-2685 asked vipullag-MSFT answered

Bug in proxy support for arc connectedk8s command and subcommand

Hello community!

I'm reaching you to open a bug in proxy support in az connectedk8s connect command.
This is blocking us a lot.

First point:

I just discovered that arguments --proxy-http and --proxy-https are completely ignored as well as HTTP(S)_PROXY or http(s)_proxy environment variables.

  • Give an corporate infrastructure with a mandatory proxy to go on Internet resource

  • Give a GNU/Linux laptop with unsetted HTTP_PROXY, HTTPS_PROXY, http_proxy or https_proxy

  • Give the command az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080

Here the result:
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080
<urllib3.connection.HTTPSConnection object at 0x7f0724c5c190>: Failed to establish a new connection: [Errno -2] Name or service not known

Now I'm setting up HTTP(S)_PROXY environment

$ export HTTP_PROXY=http://my.corporate.proxy:8080
$ export HTTS_PROXY=http://my.corporate.proxy:8080

Kubectl is able to connect, so my network is correctly setted up

$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.0.0.2 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.27 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.29 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.33 Ready <none> 2d v1.21.7-r0-CCE21.12.1.B004
10.0.0.47 Ready <none> 41h v1.21.7-r0-CCE21.12.1.B004

Now az-cli turn... Will it be as smart as kubectl??

$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name -n fancy-k8s-arc-name --proxy-http http://my.corporate.proxy:8080 --proxy-https http://my.corporate.proxy:8080
This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.xx.xx', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fbfe3ed4f40>: Failed to establish a new connection: [Errno 110] Connection timed out'))

Nevermind, take other chance w/o --proxy-http and --proxy-https:

$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name -n fancy-k8s-arc-name
This operation might take a while...

Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.xxx.xxx', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f003bfd9f40>: Failed to establish a new connection: [Errno 110] Connection timed out'))


Here we are... az connectedk8s does not take care of proxy configuration in any manners!!
How i'm now supposed to deal with??

Second point:

Why on earth Microsoft add proxy support for az connectedk8s connect (even if not working) and not for subcommand like az connectedk8s enable-features ?????
There's no parameter for this last one for specifying proxy (https://docs.microsoft.com/fr-fr/cli/azure/connectedk8s?view=azure-cli-latest#az-connectedk8s-enable-features)

And look at the result then:

$ az connectedk8s enable-features --features custom-locations \ --custom-locations-oid ${SP_OBJECT_ID} \ -g ${RESOURCE_GROUP}\ -n ${CLUSTER_NAME} ${AZ_OUTPUT_OPTION}

WARNING: The underlying Active Directory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli/azure/microsoft-graph-migration
This command is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
This operation might take a while...

Enabling 'custom-locations' feature will enable 'cluster-connect' feature too.
Unable to verify connectivity to the Kubernetes cluster.
Error occured while connecting to the kubernetes cluster:
Error: HTTPSConnectionPool(host='90.84.176.186', port=5443): Max retries exceeded with url: /apis/networking.k8s.io/v1/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f89c93daca0>: Failed to establish a new connection: [Errno 110] Connection timed out'))


Here we are again... even if az connectedk8s was taking care of proxy configuration, i'm now stuck with other sub-command... !!!!!
How i'm now supposed to deal with again !??

That's a shame Microsoft is not testing better its tool.......

azure-kubernetes-serviceazure-arc
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ESNAUDGregory-2685 avatar image ESNAUDGregory-2685 ·


Other point... a big BIG shame...

I tried on network w/o proxy, but forget to unset proxy variables:

$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name
('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7ff754b231c0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
$ unset HTTPS_PROXY
$ unset HTTP_PROXY
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name
('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7f89770160>: Failed to establish a new connection: [Errno -2] Name or service not known'))
$ unset http_proxy
$ unset https_proxy
$ az connectedk8s connect -g fancy-rg-name -n fancy-k8s-arc-name
This operation might take a while...

/opt/az/lib/python3.8/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '90.84.176.186'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn(

It's not using my proxy when I need, but expected it to be reachable if setted???!!! Are you kidding????

0 Votes 0 ·

1 Answer

vipullag-MSFT avatar image
0 Votes"
vipullag-MSFT answered

@ESNAUDGregory-2685

Welcome to Microsoft Q&A Platform, thanks for posting your query here.

Firstly, apologies for the delay in responding and to hear about your experience regarding this issue. I checked with internal team on this.

The arguments –proxy-https , --proxy-http are not for setting the proxy environmental variables for AZ CLI. They are for setting the env variables in the azure arc agents in your Kubernetes cluster if your cluster is behind an outbound proxy. They are not for setting the env variables on the machine where you are running the az cli (when the machine also is behind a proxy).

In this document, Under AZure CLI point #1 is for setting Azure CLI behind proxy, point #2 is for sending the proxy server details to the connect command to set those env variables on the arc agents in the cluster. (feedback has been provided to document author to add these details to the document to avoid confusion). Please check the Note section in the document as it mentions about passing –proxy-skip-range as well which you would need in case your Kubernetes cluster is behind proxy as well.

Regarding the “az connectedk8s enable-features“, same as explained above applies here. –proxy-https and –proxy-http are for the agents in the k8s cluster and not for the AZ CLI command itself. Incase your cluster is behind a proxy, you can either send the parameters while onboarding as mentioned in #2 in here.
You can also update your existing cluster by running below command:

 az connectedk8s update -g <rg> -n <clustername>  --proxy-http <url> --proxy-http <url> --proxy-skip-range <cidr range>

After this you can run the az connectedk8s enable-features to enable and disable features.

Coming to running the az cli command behind a proxy which I believe is the main error that you are facing here, for running any az cli command (for e.g az connectedk8s connect) on a machine that is behind an outbound proxy, you need to set the following variables HTTPS_PROXY, HTTP_PROXY.
Incase your proxy is doing cert authentication you can follow the steps here.

In the issue details you shared, I can see that you have set HTTS_PROXY instead of HTTPS_PROXY.

203182-image.png

Could you set the appropriate values and try the command again?
Try and let me know if you need any help on this.

Hope that helps.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.




image.png (9.7 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.