Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Questo contenuto non è disponibile nella lingua selezionata.
Chapter 19. Working with HTTP Proxies
19.1. Overview
Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. Configuring OpenShift Enterprise to use these proxies can be as simple as setting standard environment variables in configuration or JSON files. This can be done during an advanced installation or configured after installation.
The proxy configuration must be the same on each host in the cluster. Therefore, when setting up the proxy or modifying it, you must update the files on each OpenShift Enterprise host to the same values. Then, you must restart OpenShift Enterprise services on each host in the cluster.
The NO_PROXY, HTTP_PROXY, and HTTPS_PROXY environment variables are found in each host’s /etc/sysconfig/atomic-openshift-master file (for single master configuration), /etc/sysconfig/atomic-openshift-master-api, or /etc/sysconfig/atomic-openshift-master-controllers files (for multi-master configuration) and /etc/sysconfig/atomic-openshift-node.
19.2. Configuring NO_PROXY
The NO_PROXY environment variable lists all of the OpenShift Enterprise components and all IP addresses that are managed by OpenShift Enterprise.
NO_PROXY accepts a comma-separated list of hosts, IP addresses, or IP ranges in CIDR format:
- For master hosts
- Node host name
- Master IP or host name
- For node hosts
- Master IP or host name
- For the Docker service
- Registry service IP and host name
NO_PROXY also includes the SDN network and service IP addresses as found in the master-config.yaml file.
/etc/origin/master/master-config.yaml
networkConfig: clusterNetworkCIDR: 10.1.0.0/16 serviceNetworkCIDR: 172.30.0.0/16
networkConfig:
clusterNetworkCIDR: 10.1.0.0/16
serviceNetworkCIDR: 172.30.0.0/16
OpenShift Enterprise does not accept * as a wildcard attached to a domain suffix. For example, this works:
NO_PROXY=.example.com
NO_PROXY=.example.comHowever, this does not:
NO_PROXY=*.example.com
NO_PROXY=*.example.com
The only wildcard NO_PROXY accepts is a single * character, which matches all hosts, and effectively disables the proxy.
Each name in this list is matched as either a domain which contains the host name as a suffix, or the host name itself.
For instance, example.com would match example.com, example.com:80, and www.example.com.
19.3. Configuring Hosts for Proxies
Edit the proxy environment variables in the OpenShift Enterprise control files. Ensure all of the files in the cluster are correct.
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/161 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Supports host names and CIDRs. Must include the SDN network and service IP ranges
10.1.0.0/16,172.30.0.0/16by default.
Restart the master or node host as appropriate:
systemctl restart atomic-openshift-master systemctl restart atomic-openshift-node
# systemctl restart atomic-openshift-master # systemctl restart atomic-openshift-nodeCopy to Clipboard Copied! Toggle word wrap Toggle overflow For multi-master installations:
systemctl restart atomic-openshift-master-controllers systemctl restart atomic-openshift-master-api
# systemctl restart atomic-openshift-master-controllers # systemctl restart atomic-openshift-master-apiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
19.4. Configuring Hosts for Proxies Using Ansible
During advanced installations, the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY environment variables can be configured using the openshift_no_proxy, openshift_http_proxy, and openshift_https_proxy parameters, which are configurable in the inventory file.
Example 19.1. Example Proxy Configuration with Ansible
There are additional proxy settings that can be configured for builds using Ansible parameters. For example:
The openshift_builddefaults_git_http_proxy and openshift_builddefaults_git_https_proxy parameters allow you to use a proxy for Git cloning
The openshift_builddefaults_http_proxy and openshift_builddefaults_https_proxy parameters can make environment variables available to the Docker build strategy and Custom build strategy processes.
19.5. Proxying Docker Pull
OpenShift Enterprise node hosts need to perform push and pull operations to Docker registries. If you have a registry that does not need a proxy for nodes to access, include the NO_PROXY parameter with the registry’s host name, the registry service’s IP address, and service name. This blacklists that registry, leaving the external HTTP proxy as the only option.
Edit the /etc/sysconfig/docker file and add the variables in shell format:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com,172.30.123.45,docker-registry.default.svc.cluster.local
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com,172.30.123.45,docker-registry.default.svc.cluster.localCopy to Clipboard Copied! Toggle word wrap Toggle overflow Restart the Docker service:
systemctl restart docker
# systemctl restart dockerCopy to Clipboard Copied! Toggle word wrap Toggle overflow
19.6. Configuring S2I Builds for Proxies
S2I builds fetch dependencies from various locations. You can use a .s2i/environment file to specify simple shell variables and OpenShift Enterprise will react accordingly when seeing build images.
The following are the supported proxy environment variables with example values:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/
NO_PROXY=master.hostname.example.com19.7. Configuring Default Templates for Proxies
The example templates available in OpenShift Enterprise by default do not include settings for HTTP proxies. For existing applications based on these templates, modify the source section of the application’s build configuration and add proxy settings:
This is similar to the process for using proxies for Git cloning.
19.8. Setting Proxy Environment Variables in Pods
You can set the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY environment variables in the templates.spec.containers stanza in a deployment configuration to pass proxy connection information. The same can be done for configuring a Pod’s proxy at runtime:
You can also use the oc set env command to update an existing deployment configuration with a new environment variable:
oc set env dc/frontend HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
$ oc set env dc/frontend HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORTIf you have a ConfigChange trigger set up in your OpenShift Enterprise instance, the changes happen automatically. Otherwise, manually redeploy your application for the changes to take effect.
19.9. Git Repository Access
If your Git repository can only be accessed using a proxy, you can define the proxy to use in the source section of the BuildConfig. You can configure both a HTTP and HTTPS proxy to use. Both fields are optional.
Your source URI must use the HTTP or HTTPS protocol for this to work.
Cluster administrators can also configure a global proxy for Git cloning using Ansible.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}