You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/nw-proxy-configure-object.adoc
+15-28Lines changed: 15 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,9 +8,7 @@
8
8
[id="nw-proxy-configure-object_{context}"]
9
9
= Enabling the cluster-wide proxy
10
10
11
-
The Proxy object is used to manage the cluster-wide egress proxy. When a cluster is
12
-
installed or upgraded without the proxy configured, a Proxy object is still
13
-
generated but it will have a nil `spec`. For example:
11
+
The `Proxy` object is used to manage the cluster-wide egress proxy. When a cluster is installed or upgraded without the proxy configured, a `Proxy` object is still generated but it will have a nil `spec`. For example:
14
12
15
13
[source,yaml]
16
14
----
@@ -24,13 +22,11 @@ spec:
24
22
status:
25
23
----
26
24
27
-
A cluster administrator can configure the proxy for {product-title} by modifying
28
-
this `cluster` Proxy object.
25
+
A cluster administrator can configure the proxy for {product-title} by modifying this `cluster``Proxy` object.
29
26
30
27
[NOTE]
31
28
====
32
-
Only the Proxy object named `cluster` is supported, and no additional
33
-
proxies can be created.
29
+
Only the `Proxy` object named `cluster` is supported, and no additional proxies can be created.
34
30
====
35
31
36
32
.Prerequisites
@@ -40,13 +36,11 @@ proxies can be created.
40
36
41
37
.Procedure
42
38
43
-
. Create a ConfigMap that contains any additional CA certificates required for
44
-
proxying HTTPS connections.
39
+
. Create a config map that contains any additional CA certificates required for proxying HTTPS connections.
45
40
+
46
41
[NOTE]
47
42
====
48
-
You can skip this step if the proxy's identity certificate is signed by an
49
-
authority from the RHCOS trust bundle.
43
+
You can skip this step if the proxy's identity certificate is signed by an authority from the RHCOS trust bundle.
50
44
====
51
45
52
46
.. Create a file called `user-ca-bundle.yaml` with the following contents, and provide the values of your PEM-encoded certificates:
@@ -65,17 +59,17 @@ metadata:
65
59
<1> This data key must be named `ca-bundle.crt`.
66
60
<2> One or more PEM-encoded X.509 certificates used to sign the proxy's
67
61
identity certificate.
68
-
<3> The ConfigMap name that will be referenced from the Proxy object.
69
-
<4> The ConfigMap must be in the `openshift-config` namespace.
62
+
<3> The config map name that will be referenced from the `Proxy` object.
63
+
<4> The config map must be in the `openshift-config` namespace.
70
64
71
-
.. Create the ConfigMap from this file:
65
+
.. Create the config map from this file:
72
66
+
73
67
[source,terminal]
74
68
----
75
69
$ oc create -f user-ca-bundle.yaml
76
70
----
77
71
78
-
. Use the `oc edit` command to modify the Proxy object:
72
+
. Use the `oc edit` command to modify the `Proxy` object:
<1> A proxy URL to use for creating HTTP connections outside the cluster. The
106
-
URL scheme must be `http`.
107
-
<2> A proxy URL to use for creating HTTPS connections outside the cluster.
108
-
<3> A comma-separated list of destination domain names, domains, IP addresses or
109
-
other network CIDRs to exclude proxying.
99
+
<1> A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be `http`.
100
+
<2> A proxy URL to use for creating HTTPS connections outside the cluster. The URL scheme must be either `http` or `https`. Specify a URL for the proxy that supports the URL scheme. For example, most proxies will report an error if they are configured to use `https` but they only support `http`. This failure message may not propagate to the logs and can appear to be a network connection failure instead. If using a proxy that listens for `https` connections from the cluster, you may need to configure the cluster to accept the CAs and certificates that the proxy uses.
101
+
<3> A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.
110
102
+
111
103
Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
112
104
If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
113
105
+
114
106
This field is ignored if neither the `httpProxy` or `httpsProxy` fields are set.
115
-
<4> One or more URLs external to the cluster to use to perform a readiness check
116
-
before writing the `httpProxy` and `httpsProxy` values to status.
117
-
<5> A reference to the ConfigMap in the `openshift-config` namespace that
118
-
contains additional CA certificates required for proxying HTTPS connections.
119
-
Note that the ConfigMap must already exist before referencing it here. This
120
-
field is required unless the proxy's identity certificate is signed by an
121
-
authority from the RHCOS trust bundle.
107
+
<4> One or more URLs external to the cluster to use to perform a readiness check before writing the `httpProxy` and `httpsProxy` values to status.
108
+
<5> A reference to the config map in the `openshift-config` namespace that contains additional CA certificates required for proxying HTTPS connections. Note that the config map must already exist before referencing it here. This field is required unless the proxy's identity certificate is signed by an authority from the RHCOS trust bundle.
0 commit comments