openshift-docs/modules/installation-configure-proxy.adoc

// Module included in the following assemblies:
//
// * installing/installing_aws/installing_aws-customizations.adoc
// * installing/installing_aws/installing_aws-private.adoc
// * installing/installing_aws/installing_aws-vpc.adoc
// * installing/installing_aws/installing_aws-china.adoc
// * installing/installing_aws/installing-aws-secret-region.adoc
// * installing/installing_aws/installing-aws-user-infra.adoc
// * installing/installing_aws/installing-aws-government-region.adoc
// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
// * installing/installing_aws/installing-restricted-networks-aws.adoc
// * installing/installing_azure/installing-azure-customizations.adoc
// * installing/installing_azure/installing-azure-government-region.adoc
// * installing/installing_azure/installing-azure-private.adoc
// * installing/installing_azure/installing-azure-vnet.adoc
// * installing/installing_azure/installing-azure-user-infra.adoc
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc
// * installing/installing_gcp/installing-gcp-customizations.adoc
// * installing/installing_gcp/installing-gcp-network-customizations.adoc
// * installing/installing_gcp/installing-gcp-private.adoc
// * installing/installing_gcp/installing-gcp-vpc.adoc
// * installing/installing_gcp/installing-gcp-user-infra.adoc
// * installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-customizations.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-vpc.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-private.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-restricted.adoc
// * installing/installing_bare_metal/upi/installing-bare-metal.adoc
// * installing/installing_bare_metal/upi/installing-restricted-networks-bare-metal.adoc
// * installing/installing_openstack/installing-openstack-installer-custom.adoc
// * installing/installing_openstack/installing-openstack-installer-sr-iov.adoc
// * installing/installing_openstack/installing-openstack-installer-restricted.adoc
// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere.adoc
// * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc
// * installing/installing_vsphere/
//installing-restricted-networks-installer-provisioned-vsphere.adoc
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
// * installing/installing_ibm_power/installing-ibm-power.adoc
// * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-customizations.adoc
// * installing/installing_ibm_powervs/installing-ibm-power-vs-private-cluster.adoc
// * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
// * installing/installing_ibm_powervs/installing-ibm-powervs-vpc.adoc
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
// * networking/configuring-a-custom-pki.adoc
// * installing/installing-nutanix-installer-provisioned.adoc
// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
// * installing/installing-restricted-networks-azure-installer-provisioned.adoc
// * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc

ifeval::["{context}" == "installing-aws-china-region"]
:aws:
:aws-china:
endif::[]
ifeval::["{context}" == "installing-aws-customizations"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-specialized-region"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:aws:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:aws:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:bare-metal:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:bare-metal:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra"]
:gcp:
:three-node-cluster:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
:gcp:
:user-infra-vpc:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp"]
:gcp:
:restricted:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-network-customizations"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
:vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:vsphere:
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="installation-configure-proxy_{context}"]
= Configuring the cluster-wide proxy during installation

[role="_abstract"]
To enable internet access in environments that deny direct connections, configure a cluster-wide proxy in the `install-config.yaml` file. This configuration ensures that the new {product-title} cluster routes traffic through the specified HTTP or HTTPS proxy.

ifdef::bare-metal[]
[NOTE]
====
For bare-metal installations, if you do not assign node IP addresses from the range that is specified in the `networking.machineNetwork[].cidr` field in the `install-config.yaml` file, you must include them in the `proxy.noProxy` field.
====
endif::bare-metal[]

.Prerequisites
ifndef::gcp[]
* You have an existing `install-config.yaml` file.

endif::gcp[]
* You have reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the `Proxy` object's `spec.noProxy` field to bypass the proxy if necessary.
+
[NOTE]
====
The `Proxy` object `status.noProxy` field is populated with the values of the `networking.machineNetwork[].cidr`, `networking.clusterNetwork[].cidr`, and `networking.serviceNetwork[]` fields from your installation configuration.

For installations on Amazon Web Services (AWS), {gcp-first}, Microsoft Azure, and {rh-openstack-first}, the `Proxy` object `status.noProxy` field is also populated with the instance metadata endpoint (`169.254.169.254`).
====

.Procedure

. Edit your `install-config.yaml` file and add the proxy settings. For example:
+
[source,yaml]
----
apiVersion: v1
baseDomain: my.domain.com
proxy:
  httpProxy: http://<username>:<pswd>@<ip>:<port>
  httpsProxy: https://<username>:<pswd>@<ip>:<port>
ifndef::aws[]
  noProxy: example.com
endif::aws[]
ifdef::aws[]
  noProxy: ec2.<aws_region>.amazonaws.com,elasticloadbalancing.<aws_region>.amazonaws.com,s3.<aws_region>.amazonaws.com
endif::aws[]
additionalTrustBundle: |
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
additionalTrustBundlePolicy: <policy_to_add_additionalTrustBundle>
# ...
----
+
where: 
+
`proxy.httpProxy`:: Specifies a proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be `http`.
`proxy.httpsProxy`:: Specifies a proxy URL to use for creating HTTPS connections outside the cluster.
`proxy.noProxy`:: Specifies a comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass the proxy for all destinations.
ifdef::aws[]
If you have added the Amazon `EC2`, `Elastic Load Balancing`, and `S3` VPC endpoints to your VPC, you must add these endpoints to the `noProxy` field.
endif::aws[]
ifdef::vsphere[]
You must include vCenter's IP address and the IP range that you use for its machines.
endif::vsphere[]
`additionalTrustBundle`:: If provided, the installation program generates a config map that is named `user-ca-bundle` in the `openshift-config` namespace to hold the additional CA certificates. If you provide `additionalTrustBundle` and at least one proxy setting, the `Proxy` object is configured to reference the `user-ca-bundle` config map in the `trustedCA` field. The Cluster Network Operator then creates a `trusted-ca-bundle` config map that merges the contents specified for the `trustedCA` parameter with the {op-system} trust bundle. The `additionalTrustBundle` field is required unless the proxy's identity certificate is signed by an authority from the {op-system} trust bundle.
`additionalTrustBundlePolicy`:: Specifies the policy that determines the configuration of the `Proxy` object to reference the `user-ca-bundle` config map in the `trustedCA` field. The allowed values are `Proxyonly` and `Always`. Use `Proxyonly` to reference the `user-ca-bundle` config map only when `http/https` proxy is configured. Use `Always` to always reference the `user-ca-bundle` config map. The default value is `Proxyonly`. Optional parameter.
+
[NOTE]
====
The installation program does not support the proxy `readinessEndpoints` field.
====
+
[NOTE]
====
If the installer times out, restart and then complete the deployment by using the `wait-for` command of the installer. For example:
+
[source,terminal]
----
$ ./openshift-install wait-for install-complete --log-level debug
----
====

. Save the file and reference it when installing {product-title}.
+
The installation program creates a cluster-wide proxy that is named `cluster` that uses the proxy settings in the provided `install-config.yaml` file. If no proxy settings are provided, a `cluster` `Proxy` object is still created, but it will have a nil `spec`.
+
[NOTE]
====
Only the `Proxy` object named `cluster` is supported, and no additional proxies can be created.
====

ifeval::["{context}" == "installing-aws-china-region"]
:!aws:
:!aws-china:
endif::[]
ifeval::["{context}" == "installing-aws-customizations"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-private"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-vpc"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-specialized-region"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-user-infra"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-government-region"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-aws-secret-region"]
:!aws:
endif::[]
ifeval::["{context}" == "installing-bare-metal"]
:!bare-metal:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
:!bare-metal:
endif::[]
ifeval::["{context}" == "installing-vsphere"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra"]
:!gcp:
:!three-node-cluster:
endif::[]
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
:!gcp:
:!user-infra-vpc:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp"]
:!gcp:
:!restricted:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-vsphere"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-network-customizations"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-vsphere-installer-provisioned-customizations"]
:!vsphere:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:!vsphere:
endif::[]