InPlace Upgrade does not honor proxy settings.

[wouterhummelink]

Tested with OKD 4.17.0-okd-scos.1, OKD 4.18.0-scos.1 using quay.io/hypershift/hypershift-operator:latest.

I'm running an agent based cluster which is behind a forward proxy. Everything that should is picking up the proxy spec except for nodePool updates.

I've confirmed there is no code path here that could inject proxy settings in the machine-config-daemon pods
in control-plane-operator/hostedclusterconfigoperator/controllers/inplaceupgrader/inplaceupgrader.go

apiVersion: hypershift.openshift.io/v1beta1
kind: HostedCluster
metadata:
  annotations:
    hypershift.openshift.io/HasBeenAvailable: "true"
    meta.helm.sh/release-name: test
    meta.helm.sh/release-namespace: hostedcluster
  creationTimestamp: "2025-04-03T09:18:15Z"
  finalizers:
  - hypershift.openshift.io/finalizer
  generation: 5
  labels:
    app.kubernetes.io/managed-by: Helm
  name: test
  namespace: hostedcluster
  resourceVersion: "445437112"
  uid: 99270ad2-8520-4733-a730-6eba93d449d3
spec:
  autoscaling: {}
  capabilities: {}
  channel: stable-4
  clusterID: c8542d02-0b2b-44c2-b9e4-787cf7213ea7
  configuration:
    ingress:
      domain: apps.test.dev.okd4.example.com
      loadBalancer:
        platform:
          type: ""
    oauth:
      identityProviders:
      - mappingMethod: claim
        name: openid
        openID:
          ca:
            name: example-intermediate-test
          claims:
            email:
            - email
            groups:
            - groups
            name:
            - full name
            - name
            preferredUsername:
            - preferred_username
          clientID: okd4-hosted-test
          clientSecret:
            name: openid-client-secret
          issuer: https://keycloak/realms/openshift
        type: OpenID
      templates:
        error:
          name: ""
        login:
          name: ""
        providerSelection:
          name: ""
      tokenConfig: {}
    operatorhub:
      disableAllDefaultSources: true
    proxy:
      httpProxy: http://proxy.stratus.privatcloud.io:3128
      httpsProxy: http://proxy.stratus.privatcloud.io:3128
      noProxy: .example.com,api.test.dev.okd4.example.com
      trustedCA:
        name: ""
  controllerAvailabilityPolicy: SingleReplica
  dns:
    baseDomain: dev.okd4.stratus.privatcloud.io
  etcd:
    managed:
      storage:
        persistentVolume:
          size: 8Gi
        type: PersistentVolume
    managementType: Managed
  fips: false
  infraID: test-8wkjd
  infrastructureAvailabilityPolicy: SingleReplica
  issuerURL: https://kubernetes.default.svc
  networking:
    clusterNetwork:
    - cidr: 10.132.0.0/14
      hostPrefix: 22
    networkType: OVNKubernetes
    serviceNetwork:
    - cidr: 172.31.0.0/16
  olmCatalogPlacement: management
  platform:
    agent:
      agentNamespace: hostedcluster
    type: Agent
  pullSecret:
    name: test-pull-secret
  release:
    image: registry.ci.openshift.org/origin/release-scos@sha256:d74ade7b8c381ef12bf9a77291f4f864e4c282df35d5299419efbee5cc6ead8b
  secretEncryption:
    aescbc:
      activeKey:
        name: test-etcd-encryption-key
    type: aescbc
  services:
  - service: APIServer
    servicePublishingStrategy:
      loadBalancer:
        hostname: api.test.dev.okd4.stratus.privatcloud.io
      type: LoadBalancer
  - service: Ignition
    servicePublishingStrategy:
      type: Route
  - service: Konnectivity
    servicePublishingStrategy:
      type: Route
  - service: OAuthServer
    servicePublishingStrategy:
      type: Route
  - service: OIDC
    servicePublishingStrategy:
      type: Route
  sshKey:
    name: test-ssh-authorized-key
  tolerations:
  - effect: NoSchedule
    key: openshift-infra
    operator: Exists
  - effect: NoSchedule
    key: node-role.kubernetes.io/infra
    operator: Exists
  updateService: https://amd64.origin.releases.ci.openshift.org/graph

apiVersion: hypershift.openshift.io/v1beta1
kind: NodePool
metadata:
  annotations:
    hypershift.openshift.io/nodePoolCurrentConfig: 4cb3f149
    hypershift.openshift.io/nodePoolCurrentConfigVersion: 0ed5a818
    hypershift.openshift.io/nodePoolPlatformMachineTemplate: test-f81a1ca5
    meta.helm.sh/release-name: test
    meta.helm.sh/release-namespace: hostedcluster
  creationTimestamp: "2025-04-03T09:18:15Z"
  finalizers:
  - hypershift.openshift.io/finalizer
  generation: 5
  labels:
    app.kubernetes.io/managed-by: Helm
  name: test
  namespace: hostedcluster
  ownerReferences:
  - apiVersion: hypershift.openshift.io/v1beta1
    kind: HostedCluster
    name: test
    uid: 99270ad2-8520-4733-a730-6eba93d449d3

spec:
  arch: amd64
  clusterName: test
  config:
  - name: 99-worker-chrony
  management:
    autoRepair: false
    inPlace:
      maxUnavailable: 1
    replace:
      rollingUpdate:
        maxSurge: 1
        maxUnavailable: 0
      strategy: RollingUpdate
    upgradeType: InPlace
  nodeLabels:
    node-role.kubernetes.io/app: ""
  platform:
    agent:
      agentLabelSelector:
        matchLabels:
          infraenvs.agent-install.openshift.io: test
    type: Agent
  release:
    image: registry.ci.openshift.org/origin/release-scos@sha256:d74ade7b8c381ef12bf9a77291f4f864e4c282df35d5299419efbee5cc6ead8b
  replicas: 2

[DouglasJR1]

Hello @wouterhummelink,

I understand that a proxy is mandatory in your infrastructure environment. Does your hosted cluster work on OKD 4.18 on the Agent Platform, even without a worker node pool? (I’m referring to at least the hosted control-plane components: etcd, API server, kube-scheduler, etc.)

I attempted to install it on OKD 4.18 (4.18.0-okd-scos.10) with the Stolostron Operator (v0.6.3) without a proxy, but ran into a few issues. Initially, for the HostedControlPlane I saw this result:

Then, for the hosted cluster, I encountered further errors because the Assisted Service installer references an incorrect RHCOS ISO image(I’m seeing the same error mentioned here: openshift/assisted-image-service#367).
How do you handle the iso part for the worker nodes using the assisted service installer ?

For context, I’m not using the official pull secret. Are you using an official pull secret?

Thank you.

Regards,

[wouterhummelink]

Hello @wouterhummelink,

I understand that a proxy is mandatory in your infrastructure environment. Does your hosted cluster work on OKD 4.18 on the Agent Platform, even without a worker node pool? (I’m referring to at least the hosted control-plane components: etcd, API server, kube-scheduler, etc.)

I attempted to install it on OKD 4.18 (4.18.0-okd-scos.10) with the Stolostron Operator (v0.6.3) without a proxy, but ran into a few issues. Initially, for the HostedControlPlane I saw this result:

Then, for the hosted cluster, I encountered further errors because the Assisted Service installer references an incorrect RHCOS ISO image(I’m seeing the same error mentioned here: openshift/assisted-image-service#367). How do you handle the iso part for the worker nodes using the assisted service installer ?

For context, I’m not using the official pull secret. Are you using an official pull secret?

Thank you.

Regards,

These cluster operators cannot become fully healthy without worker nodes, since the pods for them run on workers. I used a suitable FCOS image to configure the assisted service.
This is my os image config

[
{"cpu_architecture":"x86_64",
"openshift_version":"4.18",
"url":"https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/39.20231101.3.0/x86_64/fedora-coreos-39.20231101.3.0-live.x86_64.iso",
"version":"4.18.0-okd-scos.5"}
]

[DouglasJR1]

Hello,

Thank you, @wouterhummelink. I noticed that the OS image configuration you referenced can be set in the AgentServiceConfig custom resource.

Regards,

[tkagn]

Set in AgentServiceConfig

• spec.OSImageCACertRef
• spec.osImages.url