Chapter 27. Configuring the cluster-wide proxy

Procedure

1. Create a config map that contains any additional CA certificates required for proxying HTTPS connections.

   Note

   You can skip this step if the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.

   1. Create a file called

      user-ca-bundle.yaml

      with the following contents, and provide the values of your PEM-encoded certificates:

      apiVersion: v1
      data:
        ca-bundle.crt: | 

      1

      
          <MY_PEM_ENCODED_CERTS> 

      2

      
      kind: ConfigMap
      metadata:
        name: user-ca-bundle 

      3

      
        namespace: openshift-config 

      4

      1

      This data key must be named ca-bundle.crt.

      2

      One or more PEM-encoded X.509 certificates used to sign the proxy’s identity certificate.

      3

      The config map name that will be referenced from the Proxy object.

      4

      The config map must be in the openshift-config namespace.

   2. Create the config map from this file:

      $ oc create -f user-ca-bundle.yaml

2. Use the

   oc edit

   command to modify the

   Proxy

   object:

   $ oc edit proxy/cluster

3. Configure the necessary fields for the proxy:

   apiVersion: config.openshift.io/v1
   kind: Proxy
   metadata:
     name: cluster
   spec:
     httpProxy: http://<username>:<pswd>@<ip>:<port> 

   1

   
     httpsProxy: https://<username>:<pswd>@<ip>:<port> 

   2

   
     noProxy: example.com 

   3

   
     readinessEndpoints:
     - http://www.google.com 

   4

   
     - https://www.google.com
     trustedCA:
       name: user-ca-bundle 

   5

   1

   A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http.

   2

   A proxy URL to use for creating HTTPS connections outside the cluster. The URL scheme must be either http or https. Specify a URL for the proxy that supports the URL scheme. For example, most proxies will report an error if they are configured to use https but they only support http. This failure message may not propagate to the logs and can appear to be a network connection failure instead. If using a proxy that listens for https connections from the cluster, you may need to configure the cluster to accept the CAs and certificates that the proxy uses.

   3

   A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.

   Preface a domain with

   .

   to match subdomains only. For example,

   .y.com

   matches

   x.y.com

   , but not

   y.com

   . Use

   *

   to bypass proxy for all destinations. If you scale up workers that are not included in the network defined by the

   networking.machineNetwork[].cidr

   field from the installation configuration, you must add them to this list to prevent connection issues.

   This field is ignored if neither the

   httpProxy

   or

   httpsProxy

   fields are set.

   4

   One or more URLs external to the cluster to use to perform a readiness check before writing the httpProxy and httpsProxy values to status.

   5

   A reference to the config map in the openshift-config namespace that contains additional CA certificates required for proxying HTTPS connections. Note that the config map must already exist before referencing it here. This field is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.

4. Save the file to apply the changes.

Procedure

1. Use the

   oc edit

   command to modify the proxy:

   $ oc edit proxy/cluster

2. Remove all

   spec

   fields from the Proxy object. For example:

   apiVersion: config.openshift.io/v1
   kind: Proxy
   metadata:
     name: cluster
   spec: {}

3. Save the file to apply the changes.