Merge pull request #90005 from jldohmann/OCPBUGS-43570

jldohmann · web-flow · commit 74caba36d8c9 · 2025-03-24T11:26:52.000-07:00
OCPBUGS-43570: add noproxy additions
diff --git a/modules/nw-proxy-configure-object.adoc b/modules/nw-proxy-configure-object.adoc
@@ -110,6 +110,10 @@ Port numbers are only supported when configuring IPv6 addresses. Port numbers ar
 ====
 +
 Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
++
+If your `noproxy` field needs to include a domain address, you must explicitly specify that FQDN, or prefix-matched subdomain, in the `noproxy` field. You cannot use the IP address or CIDR range that encapsulates the domain. This is because the cluster does not wait for DNS to return the IP address before assigning the route connection, and checks explicitly against the request being made.
+For example, if you have a CIDR block value, such as `10.0.0.0/24`, for the `noproxy` field and attempt to access `\https://10.0.0.11`, it will match successfully. However, attempting to access `\https://exampleserver.externaldomain.com`, whose A record entry is `10.0.0.11`, will fail. An additional value of `.externaldomain.com` for your `noproxy` field is necessary.
++
 If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
 +
 This field is ignored if neither the `httpProxy` or `httpsProxy` fields are set.

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,10 @@ Port numbers are only supported when configuring IPv6 addresses. Port numbers ar`
`110`	`110`	`====`
`111`	`111`	`+`
`112`	`112`	Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
	`113`	`++`
	`114`	+If your `noproxy` field needs to include a domain address, you must explicitly specify that FQDN, or prefix-matched subdomain, in the `noproxy` field. You cannot use the IP address or CIDR range that encapsulates the domain. This is because the cluster does not wait for DNS to return the IP address before assigning the route connection, and checks explicitly against the request being made.
	`115`	+For example, if you have a CIDR block value, such as `10.0.0.0/24`, for the `noproxy` field and attempt to access `\https://10.0.0.11`, it will match successfully. However, attempting to access `\https://exampleserver.externaldomain.com`, whose A record entry is `10.0.0.11`, will fail. An additional value of `.externaldomain.com` for your `noproxy` field is necessary.
	`116`	`++`
`113`	`117`	If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
`114`	`118`	`+`
`115`	`119`	This field is ignored if neither the `httpProxy` or `httpsProxy` fields are set.