HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. Configuring OpenShift to use these proxies can be as simple as setting standard environment variables in configuration or JSON files.
Add the NO_PROXY
, HTTP_PROXY
, and HTTPS_PROXY
environment variables
to each host’s /etc/sysconfig/atomic-openshift-master file (for single
master configuration), /etc/sysconfig/atomic-openshift-master-api, or
/etc/sysconfig/atomic-openshift-master-controllers files (for multi-master
configuration) and /etc/sysconfig/atomic-openshift-node file (for node
configuration) depending on the type of host:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
NO_PROXY
accepts a comma-separated list of hosts:
Node hostname
Master IP or hostname
Service IP
Cluster IP
Master IP or hostname
Service IP
Cluster IP
Registry service IP and hostname
Currently, using CIDR for IP addressing is not supported by |
The only wildcard For instance, example.com would match example.com, example.com:80, and www.example.com. |
Restart the master or node host as appropriate:
# systemctl restart atomic-openshift-master # systemctl restart atomic-openshift-node
For multi-master installations:
# systemctl restart atomic-openshift-master-controllers # systemctl restart atomic-openshift-master-api
OpenShift does not accept *
as a wildcard attached to a domain suffix. For
example, this works:
NO_PROXY=.example.com
However, this does not:
NO_PROXY=*.example.com
To deploy Hawkular Metrics on a proxied OpenShift Enterprise
environment, include the following services in the NO_PROXY
configuration:
Hawkular Cassandra
Hawkular Metrics
Heapster
Kubernetes
Application
OpenShift infra domain (added when using two DNS zones)
To obtain the service IPs, run:
$ oc get svc
AutoScaling does not work on a proxied environment. |
OpenShift node hosts need to perform push and pull operations to Docker
registries. If you have a registry that does not need a proxy for nodes to
access, include the NO_PROXY
parameter with the registry’s host name, the
registry service’s IP address, and service name. This blacklists that registry,
leaving the external HTTP proxy as the only option.
Edit the /etc/sysconfig/docker file and add the variables in shell format:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com,172.30.123.45,docker-registry.default.svc.cluster.local
Restart the Docker service:
# systemctl restart docker
There are three options for using Maven behind a proxy on OpenShift Enterprise:
Generate the settings.xml file for the user by setting the
$HTTP_PROXY_HOST
and $HTTP_PROXY_PORT
environment variables in the
.s2i/environment file:
HTTP_PROXY_HOST=<hostname> HTTP_PROXY_PORT=<port_number>
Optionally, you can also set the $HTTP_PROXY_USERNAME
, HTTP_PROXY_PASSWORD
, and HTTP_PROXY_NONPROXYHOSTS
variables:
HTTP_PROXY_USERNAME=<user_name> HTTP_PROXY_PASSWORD=<password> HTTP_PROXY_NONPROXYHOSTS=<hostname>
Move the settings.xml file into your application’s local Git repository:
$ mv settings.xml <git_repo>/configuration/settings.xml
Point the MAVEN_ARGS_APPEND
environment variable to the location of the
settings.xml file:
MAVEN_ARGS_APPEND=" -s path/to/file"
s2i builds fetch dependencies from various locations. You can use a .sti/environment file to specify simple shell variables and OpenShift will react accordingly when seeing build images.
The following are the supported proxy environment variables with example values:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
The
example templates
available in OpenShift by default do not include settings for HTTP
proxies. For existing applications based on these templates, modify the
source
section of the application’s build configuration and add proxy
settings:
... source: type: Git git: uri: https://github.com/openshift/ruby-hello-world httpProxy: http://proxy.example.com httpsProxy: https://proxy.example.com ...
This is similar to the process for using proxies for Git cloning.
You can set the NO_PROXY
, HTTP_PROXY
, and HTTPS_PROXY
environment
variables in the templates.spec.containers
stanza in a deployment
configuration to pass proxy connection information. The same can be done for
configuring a Pod’s proxy at runtime:
... containers: - env: - name: "HTTP_PROXY" value: "http://USER:PASSWORD@IPADDR:PORT" ...
You can also use the oc env
command to update an existing deployment
configuration with a new environment variable:
$ oc env dc/frontend HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
If you have a ConfigChange trigger set up in your OpenShift instance, the changes happen automatically. Otherwise, manually redeploy your application for the changes to take effect.
If your Git repository can only be accessed using a proxy, you can define the
proxy to use in the source
section of the BuildConfig
. You can configure
both a HTTP and HTTPS proxy to use. Both fields are optional.
Your source URI must use the HTTP or HTTPS protocol for this to work. |
source:
type: Git
git:
uri: "https://github.com/openshift/ruby-hello-world"
httpProxy: http://proxy.example.com
httpsProxy: https://proxy.example.com