Merge pull request #57401 from xenolinux/ALBO-cluster-wide-proxy

snarayan-redhat · web-flow · commit 8f2f15a51e37 · 2023-03-23T09:34:11.000+05:30
OCPBUGS#10544: Configure the cluster wide proxy for ALBO
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1187,6 +1187,8 @@ Topics:
     File: multiple-ingress-through-single-alb
   - Name: Adding TLS termination on the AWS Load Balancer
     File: add-tls-termination
+  - Name: Configuring cluster-wide proxy on the AWS Load Balancer Operator
+    File: configure-egress-proxy-aws-load-balancer-operator
 - Name: Multiple networks
   Dir: multiple_networks
   Distros: openshift-enterprise,openshift-origin
diff --git a/modules/configuring-egress-proxy.adoc b/modules/configuring-egress-proxy.adoc
@@ -0,0 +1,48 @@
+// Module included in the following assemblies:
+//
+// * networking/aws_load_balancer_operator/configure-egress-proxy-aws-load-balancer-operator.adoc
+
+:_content-type: PROCEDURE
+[id="nw-configuring-cluster-wide-proxy_{context}"]
+= Configuring the AWS Load Balancer Operator to trust the certificate authority of the cluster-wide proxy
+
+. Create the config map to contain the certificate authority (CA) bundle in the `aws-load-balancer-operator` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator create configmap trusted-ca
+----
+
+. To inject the trusted CA bundle into the config map, add the `config.openshift.io/inject-trusted-cabundle=true` label to the config map by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true
+----
+
+. Update the subscription of the AWS Load Balancer Operator to access the config map in the deployment of the AWS Load Balancer Operator by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator patch subscription aws-load-balancer-operator --type='merge' -p '{"spec":{"config":{"volumes":[{"name":"trusted-ca","configMap":{"name":"trusted-ca"}}],"volumeMounts":[{"name":"trusted-ca","mountPath":"/etc/pki/tls/certs/albo-tls-ca-bundle.crt","subPath":"ca-bundle.crt"}]}}}'
+----
+
+. After the deployment of the AWS Load Balancer Operator is completed, verify that the CA bundle is added to the `aws-load-balancer-operator-controller-manager` deployment by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator exec deploy/aws-load-balancer-operator-controller-manager -c manager -- ls -l /etc/pki/tls/certs/albo-tls-ca-bundle.crt
+----
++
+.Example output
+[source,terminal]
+----
+-rw-r--r--. 1 root 1000690000 5875 Jan 11 12:25 /etc/pki/tls/certs/albo-tls-ca-bundle.crt
+----
+
+. Optional: Restart deployment of the AWS Load Balancer Operator every time the configmap changes by running the following command:
++
+[source,terminal]
+----
+$ oc -n aws-load-balancer-operator rollout restart deployment/aws-load-balancer-operator-controller-manager
+----
diff --git a/networking/aws_load_balancer_operator/configure-egress-proxy-aws-load-balancer-operator.adoc b/networking/aws_load_balancer_operator/configure-egress-proxy-aws-load-balancer-operator.adoc
@@ -0,0 +1,10 @@
+:_content-type: ASSEMBLY
+[id="nw-aws-load-balancer-operator-cluster-wide-proxy"]
+= Configuring cluster-wide proxy
+:context: aws-load-balancer-operator
+
+toc::[]
+
+You can configure the cluster-wide proxy in the AWS Load Balancer Operator. After configuring the cluster-wide proxy in the AWS Load Balancer Operator, Operator Lifecycle Manager (OLM) automatically updates all the deployments of the Operators with the environment variables such as `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`.
+
+include::modules/configuring-egress-proxy.adoc[leveloffset=+1]
