jib icon indicating copy to clipboard operation
jib copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

Corporate proxy not well supported

Open rmannibucau opened this issue 3 years ago • 8 comments

Environment:

  • Jib version: last maven plugin
  • Build tool: maven
  • OS: redhat 8

Description of the issue: The corporate proxy (http://user:password@host:port) is not well supported.

Expected behavior: docker.io images can be pulled thanks the proxy.

Notes

  • https://github.com/GoogleContainerTools/jib/blob/5e9a65f48a1631f32afbbe1bf5b574f38bb52d9c/jib-maven-plugin/src/main/java/com/google/cloud/tools/jib/maven/MavenSettingsProxyProvider.java#L90 references proxyUser/proxyPassword but it is not a JVM configuration whcih is supported so it does pretty much nothing.
  • I didn't find how to force to use the proxy over http for https protocol in jib
  • using maven proxies should be sufficient and is likely desired for maven integration (note that maven wagon - dependencies/plugins download - falls back on http proxy when the url is in https protocol properly which enables the previous use case to work transparently)

rmannibucau avatar Sep 27 '22 09:09 rmannibucau

@rmannibucau Jib supports proxy settings through both jvm system properties and the maven settings.xml. However the jvm configurations will take precedence over the maven settings. If you are still having issues after the links attached, could you provide a small example? We're also happy to accept any documentation contributions if the suggested docs are not clear.

mpeddada1 avatar Oct 03 '22 16:10 mpeddada1

Hi @mpeddada1 , the jvm settings partly work - only in non concurrent builds since it sets/reset system props which is more a workaround cause it can break other parts of the build in a concurrent setup. The maven settings does not work properly. This issue is about ensure proxy setting is either properly read from settings.xml or the registry (like credentials which can be set next to from/to config.

As a workaround I disabled the concurrency in the build and split the proxy setup(s) but it is not consistent with maven config to have to not use maven build feature and to set the conf on the jvm. I didnt check all details, just spotted a http client uses system config so can be the issue I hit.

If it helps the proxy I have is a http one with user/password and it is used for https connection (in http).

My proposal is to not use a http client with system setup but explicitly resolve it from the config programmatically - can use the system props but should never set any system props at runtime.

Hope it helps.

rmannibucau avatar Oct 03 '22 16:10 rmannibucau

Hi @rmannibucau, could you create a PR for your proposal? We welcome external contribution for this issue.

JoeWang1127 avatar Oct 06 '22 17:10 JoeWang1127

I sadly don't have enough time to rewire it in FailoverHttpClient static factories of apache http clients (they use the default route planner which uses system props only) but form what I looked, it seems a custom (backend by actual maven proxies) java.net.ProxySelector can be implemented and passed from Mojos to FailoverHttpClient constructor (some tests to fix but nothing critical on main codebase) instead of setting any system properties, and similarly both http clients can get a custom CredentialsProvider backed by the maven configuration. I assume defaults would reuse the JVM setup and if set just delegate to it but if not set it will use the maven config.

This way system properties will not be needed anywhere anymore but if set it still works and there is no more any issues.

Hope it helps a bit even if I would have preferred write some more code.

rmannibucau avatar Oct 08 '22 19:10 rmannibucau

Just FYI for the team:

  • references proxyUser/proxyPassword but it is not a JVM configuration whcih is supported so it does pretty much nothing.

This is working properly. It is true that http(s).proxyUser and http(s).proxyPassword are not one of the standard JVM system properties for proxies, but initially we manually wired these custom properties for our usage so that users can provide and set up proxy credentials. (Later, we removed the manual wiring after upgrading to Apache Http Client v2 which natively supports these custom properties.)

I didn't find how to force to use the proxy over http for https protocol in jib

If it helps the proxy I have is a http one with user/password and it is used for https connection (in http).

AFAIK, this (i.e., proxying HTTPS connection over HTTP-to-proxy that is password-protected) is a typical proxy setup. This should be working properly in Jib.

Reading proxy configurations from Maven settings.xml is also working as said in https://github.com/GoogleContainerTools/jib/issues/3796#issuecomment-1265737730, but I believe the problem is that you cannot configure proxies per registry. However, looks like I made a conclusion back then that even in Maven, it's not possible to specify per-host proxies (although my memory is hazy):

It doesn't seem possible to specify per-host proxies in Maven settings (or through http.proxyHost and https.proxyHost, so I think it doesn't really make much sense to add support for such advanced proxy configuration in Jib for now, if ever.

But I think this should be good enough in most cases. Normally, your will have a single proxy set up in your corporate, which will proxy all connections from your machine. I would think that having multiple proxies for different target hosts would be pretty rare.

chanseokoh avatar Oct 08 '22 23:10 chanseokoh

@chanseokoh i have a single proxy in maven settings and it does not work until i set all jvm properties which is not compliant to maven proxy config (which works well for downloads) so there are two bugs there (one being to use system props and breaking other mojo running conccurently and the main one being to not be aligned on maven behavior). Agree having proxies per target is an enhancement which can be out of scope for this ticket which has a more important blocker (mvn alignment). The comment https://github.com/GoogleContainerTools/jib/issues/3796#issuecomment-1265737730 is not accurate in my case, not sure why but i suspect it is because proxies are set for their protocol only (http) instead of http+https (keep in mind a http proxy is generally used by http and https connections). A quick fix can be to set as https.proxyXxx var the http proxy if exists and no https one was found but I hope system props are avoided by overriding in apache http client builder the two configs i mentionned.

rmannibucau avatar Oct 09 '22 08:10 rmannibucau

Came here from #1403, and can confirm this issue. Same situation, our proxy is using http:// also for https target URLs. I have a single entry with <protocol>http</protocol> in my settings.xml, but jib has problems connecting to registries.

Setting an additional <protocol>https</protocol> entry in settings.xml fixes jib, but creates problems with other tooling making connections https:// connections. And according to https://maven.apache.org/settings.html#proxies the protocol is the protocol for connecting to the proxy, it's not the protocol of the target URL.

A workaround which worked for me was setting MAVEN_ARGS with the -Dhttp.* and -Dhttps.* properties. But that should not be necessary. Other connections to https:// URLs initiated by Maven are working without it, just with the one http proxy entry in the settings.xml.

stephan-uhlmann avatar Oct 27 '23 12:10 stephan-uhlmann

Take a look at this: https://github.com/GoogleContainerTools/jib/pull/1337#issuecomment-447052026

It could be that other tools are misinterpreting the settings.

chanseokoh avatar Oct 27 '23 12:10 chanseokoh