networkConfig: clusterNetworks: - cidr: 10.1.0.0/16 hostSubnetLength: 9 serviceNetworkCIDR: 172.30.0.0/16
Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. Configuring OKD to use these proxies can be as simple as setting standard environment variables in configuration or JSON files. This can be done during an advanced installation or configured after installation.
The proxy configuration must be the same on each host in the cluster. Therefore, when setting up the proxy or modifying it, you must update the files on each OKD host to the same values. Then, you must restart OKD services on each host in the cluster.
The NO_PROXY
, HTTP_PROXY
, and HTTPS_PROXY
environment variables are found in
each host’s /etc/sysconfig/origin-master-api or
/etc/sysconfig/origin-master-controllers files and /etc/sysconfig/origin-node file.
The NO_PROXY
environment variable lists all of the OKD
components and all IP addresses that are managed by OKD.
On the OpenShift service accepting the CIDR, NO_PROXY
accepts a
comma-separated list of hosts, IP addresses, or IP ranges in CIDR format:
Node host name
Master IP or host name
IP address of etcd hosts
Master IP or host name
registry service IP and host name
registry service URL docker-registry.default.svc.cluster.local
registry route host name (if created)
When using Docker, Docker accepts a comma-separated list of hosts, domain extensions, or IP addresses, but does not accept IP ranges in CIDR format, which are only accepted by OpenShift services. The `no_proxy' variable should contain a comma-separated list of domain extensions that the proxy should not be used for. For example, if |
NO_PROXY
also includes the SDN network and service IP addresses as found
in the master-config.yaml file.
networkConfig: clusterNetworks: - cidr: 10.1.0.0/16 hostSubnetLength: 9 serviceNetworkCIDR: 172.30.0.0/16
OKD does not accept *
as a wildcard attached to a domain suffix.
For example, the following would be accepted:
NO_PROXY=.example.com
However, the following would not be:
NO_PROXY=*.example.com
The only wildcard NO_PROXY
accepts is a single *
character, which matches
all hosts, and effectively disables the proxy.
Each name in this list is matched as either a domain which contains the host name as a suffix, or the host name itself.
When scaling up nodes, use a domain name rather than a list of hostnames. |
For instance, example.com would match example.com, example.com:80, and www.example.com.
Edit the proxy environment variables in the OKD control files. Ensure all of the files in the cluster are correct.
HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>/ HTTPS_PROXY=https://<user>:<password>@<ip_addr>:<port>/ NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16 (1)
1 | Supports host names and CIDRs. Must include the SDN network and service IP ranges 10.1.0.0/16,172.30.0.0/16 by default. |
Restart the master or node host as appropriate:
# systemctl restart origin-master-api origin-master-controllers # systemctl restart origin-node
For multi-master installations:
# systemctl restart origin-master-api origin-master-controllers
During
advanced installations,
the NO_PROXY
, HTTP_PROXY
, and HTTPS_PROXY
environment variables can
be configured using the
openshift_no_proxy
, openshift_http_proxy
, and openshift_https_proxy
parameters,
which are configurable in the inventory file.
# Global Proxy Configuration # These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment # variables for docker and master services. openshift_http_proxy=http://<user>:<password>@<ip_addr>:<port> openshift_https_proxy=https://<user>:<password>@<ip_addr>:<port> openshift_no_proxy='.hosts.example.com,some-host.com' # # Most environments do not require a proxy between OpenShift masters, nodes, and # etcd hosts. So automatically add those host names to the openshift_no_proxy list. # If all of your hosts share a common domain you may wish to disable this and # specify that domain above. # openshift_generate_no_proxy_hosts=True
There are additional proxy settings that can be configured for builds using Ansible parameters. For example: The The |
OKD node hosts need to perform push and pull operations to Docker
registries. If you have a registry that does not need a proxy for nodes to
access, include the NO_PROXY
parameter with:
the registry’s host name,
the registry service’s IP address, and
the service name.
This blacklists that registry, leaving the external HTTP proxy as the only option.
Retrieve the registry service’s IP address docker_registy_ip
by running:
$ oc describe svc/docker-registry -n default Name: docker-registry Namespace: default Labels: docker-registry=default Selector: docker-registry=default Type: ClusterIP IP: 172.30.163.183 (1) Port: 5000-tcp 5000/TCP Endpoints: 10.1.0.40:5000 Session Affinity: ClientIP No events.
1 | registry service IP. |
Edit the /etc/sysconfig/docker file and add the NO_PROXY
variables in
shell format, replacing <docker_registry_ip>
with the IP address from the
previous step.
HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>/ HTTPS_PROXY=https://<user>:<password>@<ip_addr>:<port>/ NO_PROXY=master.hostname.example.com,<docker_registry_ip>,docker-registry.default.svc.cluster.local
Restart the Docker service:
# systemctl restart docker
Using Maven with proxies requires using the HTTP_PROXY_NONPROXYHOSTS
variable.
See the Red Hat JBoss Enterprise Application Platform for OpenShift documentation for information about configuring your OKD environment for Red Hat JBoss Enterprise Application Platform, including the step for setting up Maven behind a proxy.
S2I builds fetch dependencies from various locations. You can use a .s2i/environment file to specify simple shell variables and OKD will react accordingly when seeing build images.
The following are the supported proxy environment variables with example values:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
The
example
templates available in OKD by default do not include settings for
HTTP proxies. For existing applications based on these templates, modify the
source
section of the application’s build configuration and add proxy
settings:
... source: type: Git git: uri: https://github.com/openshift/ruby-hello-world httpProxy: http://proxy.example.com httpsProxy: https://proxy.example.com noProxy: somedomain.com, otherdomain.com ...
This is similar to the process for using proxies for Git cloning.
You can set the NO_PROXY
, HTTP_PROXY
, and HTTPS_PROXY
environment
variables in the templates.spec.containers
stanza in a deployment
configuration to pass proxy connection information. The same can be done for
configuring a Pod’s proxy at runtime:
... containers: - env: - name: "HTTP_PROXY" value: "http://<user>:<password>@<ip_addr>:<port>" ...
You can also use the oc set env
command to update an existing deployment
configuration with a new environment variable:
$ oc set env dc/frontend HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>
If you have a ConfigChange trigger set up in your OKD instance, the changes happen automatically. Otherwise, manually redeploy your application for the changes to take effect.
If your Git repository can only be accessed using a proxy, you can define the
proxy to use in the source
section of the BuildConfig
. You can configure
both a HTTP and HTTPS proxy to use. Both fields are optional. Domains for which
no proxying should be performed can also be specified via the NoProxy field.
Your source URI must use the HTTP or HTTPS protocol for this to work. |
source:
git:
uri: "https://github.com/openshift/ruby-hello-world"
httpProxy: http://proxy.example.com
httpsProxy: https://proxy.example.com
noProxy: somedomain.com, otherdomain.com