openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
aad9ccc2ec5fc056ce2007dca36c7409ae10fd6f
openshift-docs/modules/installation-configure-proxy.adoc
Brendan Daly 8c11ab599e OSDOCS-12577:removing duplicate prereqs
2025-01-14 18:53:46 +00:00

301 lines
12 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/installing_aws/installing_aws-customizations.adoc
// * installing/installing_aws/installing_aws-network-customizations.adoc
// * installing/installing_aws/installing_aws-private.adoc
// * installing/installing_aws/installing_aws-vpc.adoc
// * installing/installing_aws/installing_aws-china.adoc
// * installing/installing_aws/installing-aws-secret-region.adoc
// * installing/installing_aws/installing-aws-user-infra.adoc
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
// * installing/installing_aws/installing-restricted-networks-aws.adoc
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-network-customizations.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc
// * installing/installing_azure/installing-azure-user-infra.adoc
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc
// * installing/installing_gcp/installing-gcp-customizations.adoc
// * installing/installing_gcp/installing-gcp-network-customizations.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
// * installing/installing_gcp/installing-gcp-vpc.adoc
// * installing/installing_gcp/installing-gcp-user-infra.adoc
// * installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-customizations.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-network-customizations.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-vpc.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-private.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-restricted.adoc
// * installing/installing_bare_metal/upi/installing-bare-metal.adoc
// * installing/installing_bare_metal/upi/installing-restricted-networks-bare-metal.adoc
// * installing/installing_openstack/installing-openstack-installer-custom.adoc
// * installing/installing_openstack/installing-openstack-installer-sr-iov.adoc
// * installing/installing_openstack/installing-openstack-installer-restricted.adoc
// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere-network-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc
// * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
// * installing/installing_ibm_power/installing-ibm-power.adoc
// * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-customizations.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc
// * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
// * installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
// * networking/configuring-a-custom-pki.adoc
// * installing/installing-nutanix-installer-provisioned.adoc
// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
// * installing/installing-restricted-networks-azure-installer-provisioned.adoc
// * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc
ifeval::["{context}" == "installing-aws-china-region"]
:aws:
:aws-china:
endif::[]
ifeval::["{context}" == "installing-aws-customizations"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-network-customizations"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:aws:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:bare-metal:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:bare-metal:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra"]
:gcp:
:three-node-cluster:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
:gcp:
:user-infra-vpc:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp"]
:gcp:
:restricted:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-network-customizations"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-network-customizations"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:vsphere:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="installation-configure-proxy_{context}"]
= Configuring the cluster-wide proxy during installation
Production environments can deny direct access to the internet and instead have
an HTTP or HTTPS proxy available. You can configure a new {product-title}
cluster to use a proxy by configuring the proxy settings in the
`install-config.yaml` file.
ifdef::bare-metal[]
[NOTE]
====
For bare metal installations, if you do not assign node IP addresses from the
range that is specified in the `networking.machineNetwork[].cidr` field in the
`install-config.yaml` file, you must include them in the `proxy.noProxy` field.
====
endif::bare-metal[]
.Prerequisites
ifndef::gcp[]
* You have an existing `install-config.yaml` file.
// TODO: xref (../../installing/install_config/configuring-firewall.adoc#configuring-firewall)
endif::gcp[]
* You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the `Proxy` object's `spec.noProxy` field to bypass the proxy if necessary.
+
[NOTE]
====
The `Proxy` object `status.noProxy` field is populated with the values of the `networking.machineNetwork[].cidr`, `networking.clusterNetwork[].cidr`, and `networking.serviceNetwork[]` fields from your installation configuration.
For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and {rh-openstack-first}, the `Proxy` object `status.noProxy` field is also populated with the instance metadata endpoint (`169.254.169.254`).
====
.Procedure
. Edit your `install-config.yaml` file and add the proxy settings. For example:
+
[source,yaml]
----
apiVersion: v1
baseDomain: my.domain.com
proxy:
httpProxy: http://<username>:<pswd>@<ip>:<port> <1>
httpsProxy: https://<username>:<pswd>@<ip>:<port> <2>
ifndef::aws[]
noProxy: example.com <3>
endif::aws[]
ifdef::aws[]
noProxy: ec2.<aws_region>.amazonaws.com,elasticloadbalancing.<aws_region>.amazonaws.com,s3.<aws_region>.amazonaws.com <3>
endif::aws[]
additionalTrustBundle: | <4>
-----BEGIN CERTIFICATE-----
<MY_TRUSTED_CA_CERT>
-----END CERTIFICATE-----
additionalTrustBundlePolicy: <policy_to_add_additionalTrustBundle> <5>
----
<1> A proxy URL to use for creating HTTP connections outside the cluster. The
URL scheme must be `http`.
<2> A proxy URL to use for creating HTTPS connections outside the cluster.
<3> A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass the proxy for all destinations.
ifdef::aws[]
If you have added the Amazon `EC2`,`Elastic Load Balancing`, and `S3` VPC endpoints to your VPC, you must add these endpoints to the `noProxy` field.
endif::aws[]
ifdef::vsphere[]
You must include vCenter's IP address and the IP range that you use for its machines.
endif::vsphere[]
<4> If provided, the installation program generates a config map that is named `user-ca-bundle` in
the `openshift-config` namespace that contains one or more additional CA
certificates that are required for proxying HTTPS connections. The Cluster Network
Operator then creates a `trusted-ca-bundle` config map that merges these contents
with the {op-system-first} trust bundle, and this config map is referenced in the `trustedCA` field of the `Proxy` object. The `additionalTrustBundle` field is required unless
the proxy's identity certificate is signed by an authority from the {op-system} trust
bundle.
<5> Optional: The policy to determine the configuration of the `Proxy` object to reference the `user-ca-bundle` config map in the `trustedCA` field. The allowed values are `Proxyonly` and `Always`. Use `Proxyonly` to reference the `user-ca-bundle` config map only when `http/https` proxy is configured. Use `Always` to always reference the `user-ca-bundle` config map. The default value is `Proxyonly`.
+
[NOTE]
====
The installation program does not support the proxy `readinessEndpoints` field.
====
+
[NOTE]
====
If the installer times out, restart and then complete the deployment by using the `wait-for` command of the installer. For example:
[source,terminal]
----
$ ./openshift-install wait-for install-complete --log-level debug
----
====
. Save the file and reference it when installing {product-title}.
The installation program creates a cluster-wide proxy that is named `cluster` that uses the proxy
settings in the provided `install-config.yaml` file. If no proxy settings are
provided, a `cluster` `Proxy` object is still created, but it will have a nil
`spec`.
[NOTE]
====
Only the `Proxy` object named `cluster` is supported, and no additional
proxies can be created.
====
ifeval::["{context}" == "installing-aws-china-region"]
:!aws:
:!aws-china:
endif::[]
ifeval::["{context}" == "installing-aws-customizations"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-network-customizations"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:!bare-metal:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:!bare-metal:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra"]
:!gcp:
:!three-node-cluster:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
:!gcp:
:!user-infra-vpc:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp"]
:!gcp:
:!restricted:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-network-customizations"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-network-customizations"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:!vsphere:
endif::[]
View Git Blame Copy Permalink