openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
84cfbb08e42a5e033e57e570b2dc89fe4dfe787b
openshift-docs/modules/configuring-a-proxy-after-installation-cli.adoc
Olga Tikhomirova 3903bf2d75 OSDOCS-15926 - Removing unused OSD files 
(cherry picked from commit d9774fb40a)
2025-11-26 10:02:19 -08:00

95 lines
4.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc
:_mod-docs-content-type: PROCEDURE
[id="configuring-a-proxy-after-installation-cli_{context}"]
= Configuring a proxy after installation using the CLI
You can use the ROSA CLI (`rosa`) to add a cluster-wide proxy configuration to an existing ROSA cluster in a Virtual Private Cloud (VPC).
You can also use `rosa` to update an existing cluster-wide proxy configuration. For example, you might need to update the network address for the proxy or replace the additional trust bundle if any of the certificate authorities for the proxy expire.
[IMPORTANT]
====
The cluster applies the proxy configuration to the control plane and compute nodes. While applying the configuration, each cluster node is temporarily placed in an unschedulable state and drained of its workloads. Each node is restarted as part of the process.
====
.Prerequisites
* You have installed and configured the latest ROSA (`rosa`) and OpenShift (`oc`) CLIs on your installation host.
* You have a {product-title} cluster that is deployed in a VPC.
.Procedure
* Edit the cluster configuration to add or update the cluster-wide proxy details:
+
[source,terminal]
----
$ rosa edit cluster \
--cluster $CLUSTER_NAME \
--additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <3>
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <3>
--no-proxy example.com <4>
----
+
--
<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
<2> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The additional-trust-bundle-file argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The additional-trust-bundle-file argument is required for users who use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the {op-system-first} trust bundle. This applies regardless of whether the proxy is transparent or requires explicit configuration using the `http-proxy` and `https-proxy` arguments.
+
[IMPORTANT]
====
Do not attempt to change the proxy or additional trust bundle configuration on the cluster directly. Any changes must be applied by using the ROSA CLI (`rosa`) or {cluster-manager-first}. Any changes made directly to managed resources on the cluster are reverted automatically.
====
<3> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
<4> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
+
Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
+
If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
+
This field is ignored if neither the `httpProxy` or `httpsProxy` fields are set.
--
.Verification
ifdef::openshift-rosa[]
. List the status of the machine config pools and verify that they are updated:
+
[source,terminal]
----
$ oc get machineconfigpools
----
+
.Example output
[source,terminal]
----
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-d9a03f612a432095dcde6dcf44597d90 True False False 3 3 3 0 31h
worker rendered-worker-f6827a4efe21e155c25c21b43c46f65e True False False 6 6 6 0 31h
----
endif::openshift-rosa[]
. Display the proxy configuration for your cluster and verify that the details are as expected:
+
[source,terminal]
----
$ oc get proxy cluster -o yaml
----
+
.Example output
[source,terminal]
----
apiVersion: config.openshift.io/v1
kind: Proxy
spec:
httpProxy: http://proxy.host.domain:<port>
httpsProxy: https://proxy.host.domain:<port>
<...more...>
status:
httpProxy: http://proxy.host.domain:<port>
httpsProxy: https://proxy.host.domain:<port>
<...more...>
----
View Git Blame Copy Permalink