openshift-docs/modules/configuring-a-proxy-after-installation-cli.adoc

// Module included in the following assemblies:
//
// * networking/configuring-cluster-wide-proxy.adoc

:_content-type: PROCEDURE
[id="configuring-a-proxy-after-installation-cli_{context}"]
= Configuring a proxy after installation using the CLI

You can use the {product-title} (ROSA) CLI (`rosa`) to add a cluster-wide proxy configuration to an existing ROSA cluster in a Virtual Private Cloud (VPC).

You can also use `rosa` to update an existing cluster-wide proxy configuration. For example, you might need to update the network address for the proxy or replace the additional trust bundle if any of the certificate authorities for the proxy expire.

[IMPORTANT]
====
The cluster applies the proxy configuration to the control plane and compute nodes. While applying the configuration, each cluster node is temporarily placed in an unschedulable state and drained of its workloads. Each node is restarted as part of the process.
====

.Prerequisites

* You have installed and configured the latest ROSA (`rosa`) and OpenShift (`oc`) CLIs on your installation host.
* You have a ROSA cluster that is deployed in a VPC.

.Procedure

* Edit the cluster configuration to add or update the cluster-wide proxy details:
+
[source,terminal]
----
$ rosa edit cluster \
 --cluster $CLUSTER_NAME \
 --additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
 --http-proxy http://<username>:<password>@<ip>:<port> \ <1> <4>
 --https-proxy http(s)://<username>:<password>@<ip>:<port> <1> <4>
----
<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
<2> If you use the `additional-trust-bundle-file` argument without an `http-proxy` or `https-proxy` argument, the trust bundle is added to the trust store and used to verify cluster system egress traffic. In that scenario, the bundle is not configured to be used with a proxy.
<3> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
<4> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
+
[NOTE]
====
You should not attempt to change the proxy or additional trust bundle configuration on the cluster directly. These changes must be applied by using the ROSA CLI (`rosa`) or {cluster-manager-first}. Any changes that are made directly to the cluster will be reverted automatically.
====

.Verification

. List the status of the machine config pools and verify that they are updated:
+
[source,terminal]
----
$ oc get machineconfigpools
----
+
.Example output
[source,terminal]
----
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-d9a03f612a432095dcde6dcf44597d90   True      False      False      3              3                   3                     0                      31h
worker   rendered-worker-f6827a4efe21e155c25c21b43c46f65e   True      False      False      6              6                   6                     0                      31h
----

. Display the proxy configuration for your cluster and verify that the details are as expected:
+
[source,terminal]
----
$ oc get proxy cluster -o yaml
----
+
.Example output
[source,terminal]
----
apiVersion: config.openshift.io/v1
kind: Proxy
spec:
  httpProxy: http://proxy.host.domain:<port>
  httpsProxy: https://proxy.host.domain:<port>
  <...more...>
status:
  httpProxy: http://proxy.host.domain:<port>
  httpsProxy: https://proxy.host.domain:<port>
  <...more...>
----