This is a cache of https://docs.openshift.com/enterprise/3.1/install_config/http_proxies.html. It is a snapshot of the page at 2024-11-23T04:31:07.430+0000.
Working with HTTP Proxies | Installation and Configuration | OpenShift Enterprise 3.1
×

Overview

Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. Configuring OpenShift to use these proxies can be as simple as setting standard environment variables in configuration or JSON files.

Configuring Hosts for Proxies

  1. Add the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY environment variables to each host’s /etc/sysconfig/atomic-openshift-master file (for single master configuration), /etc/sysconfig/atomic-openshift-master-api, or /etc/sysconfig/atomic-openshift-master-controllers files (for multi-master configuration) and /etc/sysconfig/atomic-openshift-node file (for node configuration) depending on the type of host:

    HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
    HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/
    NO_PROXY=master.hostname.example.com

    NO_PROXY accepts a comma-separated list of hosts:

    For master hosts
    • Node hostname

    • Master IP or hostname

    • Service IP

    • Cluster IP

    For node hosts
    • Master IP or hostname

    • Service IP

    • Cluster IP

    For the Docker service
    • Registry service IP and hostname

      Currently, using CIDR for IP addressing is not supported by NO_PROXY. You must add individual IP addresses for values, such as, the registry.

      The only wildcard NO_PROXY accepts is a single * character, which matches all hosts, and effectively disables the proxy. Each name in this list is matched as either a domain which contains the host name as a suffix, or the host name itself.

      For instance, example.com would match example.com, example.com:80, and www.example.com.

  2. Restart the master or node host as appropriate:

    # systemctl restart atomic-openshift-master
    # systemctl restart atomic-openshift-node

    For multi-master installations:

    # systemctl restart atomic-openshift-master-controllers
    # systemctl restart atomic-openshift-master-api

OpenShift does not accept * as a wildcard attached to a domain suffix. For example, this works:

NO_PROXY=.example.com

However, this does not:

NO_PROXY=*.example.com

To deploy Hawkular Metrics on a proxied OpenShift Enterprise environment, include the following services in the NO_PROXY configuration:

  • Hawkular Cassandra

  • Hawkular Metrics

  • Heapster

  • Kubernetes

  • Application

  • OpenShift infra domain (added when using two DNS zones)

To obtain the service IPs, run:

$ oc get svc

AutoScaling does not work on a proxied environment.

Proxying Docker Pull

OpenShift node hosts need to perform push and pull operations to Docker registries. If you have a registry that does not need a proxy for nodes to access, include the NO_PROXY parameter with the registry’s host name, the registry service’s IP address, and service name. This blacklists that registry, leaving the external HTTP proxy as the only option.

  1. Edit the /etc/sysconfig/docker file and add the variables in shell format:

    HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
    HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/
    NO_PROXY=master.hostname.example.com,172.30.123.45,docker-registry.default.svc.cluster.local
  2. Restart the Docker service:

    # systemctl restart docker

Using Maven Behind a Proxy

There are three options for using Maven behind a proxy on OpenShift Enterprise:

  • Generate the settings.xml file for the user by setting the $HTTP_PROXY_HOST and $HTTP_PROXY_PORT environment variables in the .s2i/environment file:

    HTTP_PROXY_HOST=<hostname>
    HTTP_PROXY_PORT=<port_number>

    Optionally, you can also set the $HTTP_PROXY_USERNAME, HTTP_PROXY_PASSWORD, and HTTP_PROXY_NONPROXYHOSTS variables:

    HTTP_PROXY_USERNAME=<user_name>
    HTTP_PROXY_PASSWORD=<password>
    HTTP_PROXY_NONPROXYHOSTS=<hostname>
  • Move the settings.xml file into your application’s local Git repository:

    $ mv settings.xml <git_repo>/configuration/settings.xml
  • Point the MAVEN_ARGS_APPEND environment variable to the location of the settings.xml file:

    MAVEN_ARGS_APPEND=" -s path/to/file"

Configuring s2i Builds for Proxies

s2i builds fetch dependencies from various locations. You can use a .sti/environment file to specify simple shell variables and OpenShift will react accordingly when seeing build images.

The following are the supported proxy environment variables with example values:

HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/
HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/
NO_PROXY=master.hostname.example.com

Configuring Default Templates for Proxies

The example templates available in OpenShift by default do not include settings for HTTP proxies. For existing applications based on these templates, modify the source section of the application’s build configuration and add proxy settings:

...
source:
  type: Git
  git:
    uri: https://github.com/openshift/ruby-hello-world
    httpProxy: http://proxy.example.com
    httpsProxy: https://proxy.example.com
...

This is similar to the process for using proxies for Git cloning.

Setting Proxy Environment Variables in Pods

You can set the NO_PROXY, HTTP_PROXY, and HTTPS_PROXY environment variables in the templates.spec.containers stanza in a deployment configuration to pass proxy connection information. The same can be done for configuring a Pod’s proxy at runtime:

...
containers:
- env:
  - name: "HTTP_PROXY"
    value: "http://USER:PASSWORD@IPADDR:PORT"
...

You can also use the oc env command to update an existing deployment configuration with a new environment variable:

$ oc env dc/frontend HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT

If you have a ConfigChange trigger set up in your OpenShift instance, the changes happen automatically. Otherwise, manually redeploy your application for the changes to take effect.

Git Repository Access

If your Git repository can only be accessed using a proxy, you can define the proxy to use in the source section of the BuildConfig. You can configure both a HTTP and HTTPS proxy to use. Both fields are optional.

Your source URI must use the HTTP or HTTPS protocol for this to work.

source:
  type: Git
  git:
    uri: "https://github.com/openshift/ruby-hello-world"
    httpProxy: http://proxy.example.com
    httpsProxy: https://proxy.example.com