Merge pull request #35065 from apinnick/mig-766-proxy-config

MIG-766: proxy config

Author: apinnick

migrating_from_ocp_3_to_4/advanced-migration-options-3-4.adoc

@@ -29,7 +29,7 @@ This section describes how to migrate your applications with the {mtc-short} API
 
 include::modules/migration-about-migrating-applications-api.adoc[leveloffset=+2]
 include::modules/migration-prerequisites.adoc[leveloffset=+2]
-include::modules/migration-configuring-proxy-for-dvm.adoc[leveloffset=+3]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+2]
 include::modules/migration-migrating-applications-api.adoc[leveloffset=+2]
 
 [id="migration-hooks_{context}"]

migrating_from_ocp_3_to_4/installing-3-4.adoc

@@ -19,6 +19,9 @@ After you have installed {mtc-short}, you must configure an object storage to us
 
 include::modules/migration-installing-mtc-on-ocp-4.adoc[leveloffset=+1]
 include::modules/migration-installing-mtc-on-ocp-3.adoc[leveloffset=+1]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+1]
+
+For more information, see xref:../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object_config-cluster-wide-proxy[Configuring the cluster-wide proxy].
 
 [id="configuring-replication-repository_{context}"]
 == Configuring a replication repository

migrating_from_ocp_3_to_4/installing-restricted-3-4.adoc

@@ -21,6 +21,9 @@ After you have installed {mtc-short}, you must configure an object storage to us
 
 include::modules/migration-installing-mtc-on-ocp-4.adoc[leveloffset=+1]
 include::modules/migration-installing-mtc-on-ocp-3.adoc[leveloffset=+1]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+1]
+
+For more information, see xref:../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object_config-cluster-wide-proxy[Configuring the cluster-wide proxy].
 
 [id="configuring-replication-repository_{context}"]
 == Configuring a replication repository

migrating_from_ocp_3_to_4/migrating-applications-3-4.adoc

@@ -27,8 +27,6 @@ include::modules/migration-prerequisites.adoc[leveloffset=+1]
 * link:https://docs.openshift.com/container-platform/3.11/install_config/registry/securing_and_exposing_registry.html#exposing-the-registry[Manually exposing a secure registry for {product-title} 3]
 * xref:../migrating_from_ocp_3_to_4/troubleshooting-3-4.adoc#migration-updating-deprecated-internal-images_troubleshooting-3-4[Updating deprecated internal images]
 
-include::modules/migration-configuring-proxy-for-dvm.adoc[leveloffset=+2]
-
 [id="migrating-applications-mtc-web-console_{context}"]
 == Migrating your applications by using the {mtc-short} web console
 

migration_toolkit_for_containers/advanced-migration-options-mtc.adoc

@@ -28,7 +28,7 @@ This section describes how to migrate your applications with the {mtc-short} API
 
 include::modules/migration-about-migrating-applications-api.adoc[leveloffset=+2]
 include::modules/migration-prerequisites.adoc[leveloffset=+2]
-include::modules/migration-configuring-proxy-for-dvm.adoc[leveloffset=+3]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+2]
 include::modules/migration-migrating-applications-api.adoc[leveloffset=+2]
 
 [id="migration-hooks_{context}"]

migration_toolkit_for_containers/installing-mtc-restricted.adoc

@@ -20,6 +20,9 @@ You can configure the `Migration Controller` custom resource manifest to run the
 After you have installed {mtc-short}, you must configure an object storage to use as a replication repository.
 
 include::modules/migration-installing-mtc-on-ocp-4.adoc[leveloffset=+1]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+1]
+
+For more information, see xref:../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object_config-cluster-wide-proxy[Configuring the cluster-wide proxy].
 
 [id="configuring-replication-repository_{context}"]
 == Configuring a replication repository

migration_toolkit_for_containers/installing-mtc.adoc

@@ -18,6 +18,9 @@ By default, the {mtc-short} web console and the `Migration Controller` pod run o
 After you have installed {mtc-short}, you must configure an object storage to use as a replication repository.
 
 include::modules/migration-installing-mtc-on-ocp-4.adoc[leveloffset=+1]
+include::modules/migration-configuring-proxies.adoc[leveloffset=+1]
+
+For more information, see xref:../networking/enable-cluster-wide-proxy.adoc#nw-proxy-configure-object_config-cluster-wide-proxy[Configuring the cluster-wide proxy].
 
 [id="configuring-replication-repository_{context}"]
 == Configuring a replication repository

migration_toolkit_for_containers/migrating-applications-with-mtc.adoc

@@ -18,7 +18,6 @@ During migration, the {mtc-full} ({mtc-short}) preserves the following namespace
 These annotations preserve the UID range, ensuring that the containers retain their file system permissions on the target cluster. There is a risk that the migrated UIDs could duplicate UIDs within an existing or future namespace on the target cluster.
 
 include::modules/migration-prerequisites.adoc[leveloffset=+1]
-include::modules/migration-configuring-proxy-for-dvm.adoc[leveloffset=+2]
 
 [id="migrating-applications-mtc-web-console_{context}"]
 == Migrating your applications by using the {mtc-short} web console

modules/migration-configuring-proxies.adoc

@@ -0,0 +1,68 @@
+// Module included in the following assemblies:
+//
+// * migrating_from_ocp_3_to_4/installing-3-4.adoc
+// * migrating_from_ocp_3_to_4/installing-restricted-3-4.adoc
+// * migration_toolkit_for_containers/installing-mtc.adoc
+// * migration_toolkit_for_containers/installing-mtc-restricted.adoc
+
+[id="migration-configuring-proxies_{context}"]
+= Configuring proxies
+
+For {product-title} 3.x and 4.1, you must configure proxies in the `MigrationController` custom resource (CR) manifest after you install the {mtc-short} Operator because these versions do not support a cluster-wide `proxy` object.
+
+For {product-title} 4.2 and later, the {mtc-full} ({mtc-short}) inherits the cluster-wide proxy settings. You can change the proxy parameters if you want to override the cluster-wide proxy settings.
+
+You must configure the proxies to allow the SPDY protocol and to forward the `Upgrade HTTP` header to the API server. Otherwise, an `Upgrade request required` error is displayed. The `MigrationController` CR uses SPDY to run commands within remote pods. The `Upgrade HTTP` header is required in order to open a websocket connection with the API server.
+
+.Direct volume migration
+
+If you are performing a direct volume migration (DVM) from a source cluster behind a proxy, you must configure an Stunnel proxy. Stunnel creates a transparent tunnel between the source and target clusters for the TCP connection without changing the certificates.
+
+DVM supports only one proxy. The source cluster cannot access the route of the target cluster if the target cluster is also behind a proxy.
+
+.Prerequisites
+
+* You must be logged in as a user with `cluster-admin` privileges on all clusters.
+
+.Procedure
+
+. Get the `MigrationController` CR manifest:
++
+[source,terminal]
+----
+$ oc get migrationcontroller <migration_controller> -n openshift-migration
+----
+
+. Update the proxy parameters:
++
+[source,yaml]
+----
+apiVersion: migration.openshift.io/v1alpha1
+kind: MigrationController
+metadata:
+  name: <migration_controller>
+  namespace: openshift-migration
+...
+spec:
+  stunnel_tcp_proxy: http://<username>:<password>@<ip>:<port> <1>
+  httpProxy: http://<username>:<password>@<ip>:<port> <2>
+  httpsProxy: http://<username>:<password>@<ip>:<port> <3>
+  noProxy: example.com <4>
+----
+<1> Stunnel proxy URL for direct volume migration.
+<2> Proxy URL for creating HTTP connections outside the cluster. The URL scheme must be `http`.
+<3> Proxy URL for creating HTTPS connections outside the cluster. If this is not specified, then `httpProxy` is used for both HTTP and HTTPS connections.
+<4> Comma-separated list of destination domain names, domains, IP addresses, or other network CIDRs to exclude proxying.
++
+Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
+If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.
++
+This field is ignored if neither the `httpProxy` nor the `httpsProxy` field is set.
+
+. Save the manifest as `migration-controller.yaml`.
+. Apply the updated manifest:
++
+[source,terminal]
+----
+$ oc replace -f migration-controller.yaml -n openshift-migration
+----