Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve proxy to inject using http package #6675

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

resolve proxy to inject using http package #6675

wants to merge 8 commits into from
+71 −63

Conversation

intxgo
Copy link
Contributor

@intxgo intxgo commented Jan 31, 2025
edited
Loading

What does this PR do?

Agent is injecting proxy env variables into components configs if no proxy is already specified by the config. Unfortunately with this approach the NO_PROXY variable is lost, so the target URL has to be evaluated against the environment proxy to determine if the proxy should be used. Go http provides such functionality.

Why is it important?

The environment proxy may be defined with exclusion for Fleet and Output addresses.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Related issues

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 31, 2025

This pull request does not have a backport label. Could you fix it @intxgo? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify mergify bot assigned intxgo Jan 31, 2025
@intxgo intxgo marked this pull request as ready for review January 31, 2025 13:35
@intxgo intxgo requested a review from a team as a code owner January 31, 2025 13:35
@cmacknz
Copy link
Member

cmacknz commented Jan 31, 2025
edited by intxgo
Loading

Looking at endpoint's Proxy.cpp I see the following suggesting this needs a change in endpoint as well. Is that correct?

    // This mimic GO implementation, though we don't support the NO_PROXY list of IP's which should
    // be accessed without proxy
    //
    // https://pkg.go.dev/golang.org/x/net/http/httpproxy

This is a separate thing. Indeed if an environment proxy is set on Endpoint, it'll skip the NO_PROXY. However, it doesn't matter for this fix since when Agent injects it's environment proxy into Endpoint config, then it takes priority at Endpoint side over environment proxy. Much like injectProxyURL here skips the environment if it already sees proxy explicitly configured.

@cmacknz cmacknz mentioned this pull request Jan 31, 2025
Open
michel-laterman
michel-laterman approved these changes Jan 31, 2025
View reviewed changes
internal/pkg/agent/application/inject_proxy_component_modifier.go
proxyURL = os.Getenv("HTTPS_PROXY")
if proxyURL == "" {
proxyURL = os.Getenv("HTTP_PROXY")
proxyURL, err := http.ProxyFromEnvironment(request)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 didn't know this existed!

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
70.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@intxgo
Copy link
Contributor Author

intxgo commented Jan 31, 2025

I probably found the culprit of the unit tests failure. The t.Setenv() function sets the actual environment variables on the executing process and clears them after test. It's documented as unsafe for parallel test execution.

Indeed, even locally when I run all tests I get the same failure. Experimenting I've found that environment proxy set in the shell before test execution is not overridden by t.Setenv(), so if I set them to values expected by my test it PASS even when invoked with all tests.

export NO_PROXY="do.not.inject.proxy.for.me"
export HTTPS_PROXY="https://localhost:8080"
export HTTP_PROXY="https://localhost:8081"

Could it be that these env variables are set on the testing nodes but with empty strings?

@cmacknz @michel-laterman do you know if we could set those env variables on the test nodes like above? If yes, how to do this?

@cmacknz
Copy link
Member

cmacknz commented Feb 3, 2025
edited
Loading

The t.SetEnv call is used elsewhere in agent without issue and used to work here without issue as well. I suspect it by itself isn't the problem, the parallel warning is just that env vars are global. This is no different that calling os.Setenv I think. This is the only test setting one of the _PROXY vars so execution should be sequential here.

Something else is the problem, I can't reproduce the failure locally, so I suspect you are onto something with the CI environment being somehow different in a way that matters. I don't see us setting any of the proxy environment variables in the buildkite jobs and I can't see it in any of the buildkite output which is curious.

Edit I can reproduce locally with: go test ./internal/pkg/agent/application/... but not if I directly run the test with go test ./internal/pkg/agent/application/... -run Test_injectProxyURL

@cmacknz
Copy link
Member

cmacknz commented Feb 3, 2025

OK so the problem isn't t.Setenv not being safe it's that the switch to http.ProxyFromEnvironment(request) I think.

It includes a do.Once to setup the proxy func and I think this only reads the env vars one time. https://cs.opensource.google/go/go/+/refs/tags/go1.23.5:src/net/http/transport.go;l=907-914

This has something to do with at which point in the tests the variables are read I think.

go test ./internal/pkg/agent/application/... -run Test_injectProxyURL passes.

go test ./internal/pkg/agent/application/... fails which is closer to what CI does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michel-laterman michel-laterman michel-laterman approved these changes

@blakerouse blakerouse Awaiting requested review from blakerouse blakerouse is a code owner automatically assigned from elastic/elastic-agent-control-plane

@kaanyalti kaanyalti Awaiting requested review from kaanyalti kaanyalti is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@intxgo intxgo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Injected proxy variables into endpoint elasticsearch does not include NO_PROXY variable
3 participants
@intxgo @cmacknz @michel-laterman