Configure OAuth https proxy to dial cloud endpoints directly

In the case of IBM Cloud, the identity provider is a cloud provider endpoint that should be reached directly from the management cluster and not through the data plane. This commit adds the --connect-directly-to-cloud-apis flag to the https proxy container of the oauth server pod to accomplish this.
openshift · Nov 6, 2024 · a1eea7b · a1eea7b
1 parent f42c11d
commit a1eea7b
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/oauth/deployment.go b/control-plane-operator/controllers/hostedcontrolplane/oauth/deployment.go
@@ -233,7 +233,7 @@ func buildOAuthContainerHTTPProxy(image string, proxyConfig *configv1.ProxySpec,
 	return func(c *corev1.Container) {
 		c.Image = image
 		c.Command = []string{"/usr/bin/control-plane-operator", "konnectivity-https-proxy"}
-		c.Args = []string{"run", fmt.Sprintf("--serving-port=%d", httpKonnectivityProxyPort)}
+		c.Args = []string{"run", fmt.Sprintf("--serving-port=%d", httpKonnectivityProxyPort), "--connect-directly-to-cloud-apis"}
 		if proxyConfig != nil {
 			c.Args = append(c.Args, "--http-proxy", proxyConfig.HTTPProxy)
 			c.Args = append(c.Args, "--https-proxy", proxyConfig.HTTPSProxy)

diff --git a/...s/hostedcontrolplane/oauth/testdata/zz_fixture_TestReconcileOauthDeploymentNoChanges.yaml b/...s/hostedcontrolplane/oauth/testdata/zz_fixture_TestReconcileOauthDeploymentNoChanges.yaml
@@ -105,6 +105,7 @@ spec:
       - args:
         - run
         - --serving-port=8092
+        - --connect-directly-to-cloud-apis
         command:
         - /usr/bin/control-plane-operator
         - konnectivity-https-proxy