openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b77bdd24f8fa2b9f7cd7f23904adc2875eb3ed3d
openshift-docs/modules/configuring-a-proxy-during-installation-cli.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

42 lines
2.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * networking/configuring-cluster-wide-proxy.adoc
:_mod-docs-content-type: PROCEDURE
[id="configuring-a-proxy-during-installation-cli_{context}"]
= Configuring a proxy during installation using the CLI
If you are installing a {product-title} (ROSA) cluster into an existing Virtual Private Cloud (VPC), you can use the ROSA CLI (`rosa`) to enable a cluster-wide HTTP or HTTPS proxy during installation.
The following procedure provides details about the ROSA CLI (`rosa`) arguments that are used to configure a cluster-wide proxy during installation. For general installation steps using the ROSA CLI, see _Creating a cluster with customizations using the CLI_.
.Prerequisites
* You have verified that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC.
.Procedure
* Specify a proxy configuration when you create your cluster:
+
[source,terminal]
----
$ rosa create cluster \
<other_arguments_here> \
--additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <4>
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <4>
--no-proxy example.com <5>
----
+
--
<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
<2> If you use the `additional-trust-bundle-file` argument without an `http-proxy` or `https-proxy` argument, the trust bundle is added to the trust store and used to verify cluster system egress traffic. In that scenario, the bundle is not configured to be used with a proxy.
<3> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
<4> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
<5> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
+
Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
+
This field is ignored if neither the `httpProxy` or `httpsProxy` fields are set.
--
View Git Blame Copy Permalink