Clusteradm connectivity through alternative proxy, failing for v8.2

[CarlosSanchez01]

Proxying OCM connectivity and breaking update of clusteradm

Context

We have a use case in which OCM hub cluster cannot be accessed directly. We design a microservice that acts as a proxy to expose k8s api. This solution was working for v8.0 of clusteradm by changin the --hub-apiserver flag to direct to the exposed microservice.

The problem

We now encounter the following error when trying to run the clusteradm command:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1f46261]
 
goroutine 1 [running]:
open-cluster-management.io/clusteradm/pkg/cmd/join/preflight.HubKubeconfigCheck.Check({0x0?})
        /home/runner/work/clusteradm/clusteradm/pkg/cmd/join/preflight/checks.go:57 +0x2c1
open-cluster-management.io/clusteradm/pkg/helpers/preflight.RunChecks({0xc0009d5a98?, 0x3, 0x0?}, {0x2c4f580, 0xc000130028})
        /home/runner/work/clusteradm/clusteradm/pkg/helpers/preflight/interface.go:35 +0x12a
open-cluster-management.io/clusteradm/pkg/cmd/join.(*Options).validate(0xc00073e580)
        /home/runner/work/clusteradm/clusteradm/pkg/cmd/join/exec.go:233 +0x128
open-cluster-management.io/clusteradm/pkg/cmd/join.NewCmd.func2(0xc000585a00?, {0xc000746c00?, 0x4?, 0x2653dd3?})
        /home/runner/work/clusteradm/clusteradm/pkg/cmd/join/cmd.go:39 +0x3f
github.com/spf13/cobra.(*Command).execute(0xc000770000, {0xc000746b80, 0x8, 0x8})
        /home/runner/work/clusteradm/clusteradm/vendor/github.com/spf13/cobra/command.go:983 +0xabc
github.com/spf13/cobra.(*Command).ExecuteC(0xc0003a8900)
        /home/runner/work/clusteradm/clusteradm/vendor/github.com/spf13/cobra/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/work/clusteradm/clusteradm/vendor/github.com/spf13/cobra/command.go:1039
main.main()
        /home/runner/work/clusteradm/clusteradm/cmd/clusteradm/clusteradm.go:128 +0xc13
make: *** [tools/makefiles/Makefile.Proxy:28: join] Error 2

Possible explanation

This seems to be an issue caused by some additional paths that do not conform with k8s.
The proxy now fails when reaching the point in which the join command makes a call to apis/cluster.open-cluster-management.io/v1?timeout=32s] which now gives an error because that endpoint does exist (I assume).

Suggestions

Maybe this is intended but we might be interested on developing this further to allow proxying the clusteradm join command.
For our intended use, clusteradm reached a breaking update. We understand this use case is quite niche but it might still be an important feature for other people.

Authors

@AllGoodNamesRTaken @CarlosSanchez01

[qiujian16]

@zhujian7 is that a bug we introduced recently?

[qiujian16]

hrm I think it is from here #411

[CarlosSanchez01]

@qiujian16 how can we correct it? I see you label it as bug, I guess it was not the intended behaviour.

[qiujian16]

Would you help to check how the proxy is set? apis/cluster.open-cluster-management.io/v1 is for the API discovery, is that not included in the proxy path?

[CarlosSanchez01]

It is included, we forward all connections right now. The problem seems to be with permissions, it is just strange that it has changed with the subversion. This is the error we get:

• forwarded call:
  https://127.0.0.1:46601/apis/cluster.open-cluster-management.io/v1?timeout=32s
• response:
  {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/apis/cluster.open-cluster-management.io/v1"","reason":"Forbidden","details":{},"code":403}