Chapter 23. Working with HTTP Proxies
Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. Configuring OpenShift Container Platform to use these proxies can be as simple as setting standard environment variables in configuration or JSON files. This can be done during an advanced installation or configured after installation.
The proxy configuration must be the same on each host in the cluster. Therefore, when setting up the proxy or modifying it, you must update the files on each OpenShift Container Platform host to the same values. Then, you must restart OpenShift Container Platform services on each host in the cluster.
HTTPS_PROXY environment variables are found in each host’s /etc/sysconfig/atomic-openshift-master file (for single master configuration), /etc/sysconfig/atomic-openshift-master-api, or /etc/sysconfig/atomic-openshift-master-controllers files (for multi-master configuration) and /etc/sysconfig/atomic-openshift-node.
23.2. Configuring NO_PROXY
NO_PROXY environment variable lists all of the OpenShift Container Platform components and all IP addresses that are managed by OpenShift Container Platform.
On the OpenShift service accepting the CIDR,
NO_PROXY accepts a comma-separated list of hosts, IP addresses, or IP ranges in CIDR format:
- For master hosts
- Node host name
- Master IP or host name
- IP address of etcd hosts
- For node hosts
- Master IP or host name
- For the Docker service
- Registry service IP and host name
Registry service URL
- Registry route host name (if created)
When using Docker, Docker accepts a comma-separated list of hosts, domain extensions, or IP addresses, but does not accept IP ranges in CIDR format, which are only accepted by OpenShift services. The `no_proxy' variable should contain a comma-separated list of domain extensions that the proxy should not be used for.
For example, if
no_proxy is set to
.school.edu, the proxy will not be used to retrieve documents from the specific school.
NO_PROXY also includes the SDN network and service IP addresses as found in the master-config.yaml file.
networkConfig: clusterNetworkCIDR: 10.1.0.0/16 serviceNetworkCIDR: 172.30.0.0/16
OpenShift Container Platform does not accept
* as a wildcard attached to a domain suffix. For example, the following would be accepted:
However, the following would not be:
The only wildcard
NO_PROXY accepts is a single
* character, which matches all hosts, and effectively disables the proxy.
Each name in this list is matched as either a domain which contains the host name as a suffix, or the host name itself.
When scaling up nodes, use a domain name rather than a list of hostnames.
For instance, example.com would match example.com, example.com:80, and www.example.com.
23.3. Configuring Hosts for Proxies
Edit the proxy environment variables in the OpenShift Container Platform control files. Ensure all of the files in the cluster are correct.
HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>/ HTTPS_PROXY=https://<user>:<password>@<ip_addr>:<port>/ NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16 1
- Supports host names and CIDRs. Must include the SDN network and service IP ranges
Restart the master or node host as appropriate:
# systemctl restart atomic-openshift-master # systemctl restart atomic-openshift-node
For multi-master installations:
# systemctl restart atomic-openshift-master-controllers # systemctl restart atomic-openshift-master-api
23.4. Configuring Hosts for Proxies Using Ansible
During advanced installations, the
HTTPS_PROXY environment variables can be configured using the
openshift_https_proxy parameters, which are configurable in the inventory file.
Example Proxy Configuration with Ansible
# Global Proxy Configuration # These options configure HTTP_PROXY, HTTPS_PROXY, and NOPROXY environment # variables for docker and master services. openshift_http_proxy=http://<user>:<password>@<ip_addr>:<port> openshift_https_proxy=https://<user>:<password>@<ip_addr>:<port> openshift_no_proxy='.hosts.example.com,some-host.com' # # Most environments do not require a proxy between OpenShift masters, nodes, and # etcd hosts. So automatically add those host names to the openshift_no_proxy list. # If all of your hosts share a common domain you may wish to disable this and # specify that domain above. # openshift_generate_no_proxy_hosts=True
openshift_builddefaults_git_https_proxy parameters allow you to use a proxy for Git cloning
23.5. Proxying Docker Pull
OpenShift Container Platform node hosts need to perform push and pull operations to Docker registries. If you have a registry that does not need a proxy for nodes to access, include the
NO_PROXY parameter with:
- the registry’s host name,
- the registry service’s IP address, and
- the service name.
This blacklists that registry, leaving the external HTTP proxy as the only option.
Retrieve the registry service’s IP address
$ oc describe svc/docker-registry -n default Name: docker-registry Namespace: default Labels: docker-registry=default Selector: docker-registry=default Type: ClusterIP IP: 172.30.163.183 1 Port: 5000-tcp 5000/TCP Endpoints: 10.1.0.40:5000 Session Affinity: ClientIP No events.
- Registry service IP.
Edit the /etc/sysconfig/docker file and add the
NO_PROXYvariables in shell format, replacing
<docker_registry_ip>with the IP address from the previous step.
HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>/ HTTPS_PROXY=https://<user>:<password>@<ip_addr>:<port>/ NO_PROXY=master.hostname.example.com,<docker_registry_ip>,docker-registry.default.svc.cluster.local
Restart the Docker service:
# systemctl restart docker
23.6. Using Maven Behind a Proxy
Using Maven with proxies requires using the
See the Red Hat JBoss Enterprise Application Platform for OpenShift documentation for information about configuring your OpenShift Container Platform environment for Red Hat JBoss Enterprise Application Platform, including the step for setting up Maven behind a proxy.
23.7. Configuring S2I Builds for Proxies
S2I builds fetch dependencies from various locations. You can use a .s2i/environment file to specify simple shell variables and OpenShift Container Platform will react accordingly when seeing build images.
The following are the supported proxy environment variables with example values:
HTTP_PROXY=http://USERNAME:PASSWORD@10.0.1.1:8080/ HTTPS_PROXY=https://USERNAME:PASSWORD@10.0.0.1:8080/ NO_PROXY=master.hostname.example.com
23.8. Configuring Default Templates for Proxies
The example templates available in OpenShift Container Platform by default do not include settings for HTTP proxies. For existing applications based on these templates, modify the
source section of the application’s build configuration and add proxy settings:
... source: type: Git git: uri: https://github.com/openshift/ruby-hello-world httpProxy: http://proxy.example.com httpsProxy: https://proxy.example.com noProxy: somedomain.com, otherdomain.com ...
This is similar to the process for using proxies for Git cloning.
23.9. Setting Proxy Environment Variables in Pods
You can set the
HTTPS_PROXY environment variables in the
templates.spec.containers stanza in a deployment configuration to pass proxy connection information. The same can be done for configuring a Pod’s proxy at runtime:
... containers: - env: - name: "HTTP_PROXY" value: "http://<user>:<password>@<ip_addr>:<port>" ...
You can also use the
oc set env command to update an existing deployment configuration with a new environment variable:
$ oc set env dc/frontend HTTP_PROXY=http://<user>:<password>@<ip_addr>:<port>
If you have a ConfigChange trigger set up in your OpenShift Container Platform instance, the changes happen automatically. Otherwise, manually redeploy your application for the changes to take effect.
23.10. Git Repository Access
If your Git repository can only be accessed using a proxy, you can define the proxy to use in the
source section of the
BuildConfig. You can configure both a HTTP and HTTPS proxy to use. Both fields are optional. Domains for which no proxying should be performed can also be specified via the NoProxy field.
Your source URI must use the HTTP or HTTPS protocol for this to work.
source: git: uri: "https://github.com/openshift/ruby-hello-world" httpProxy: http://proxy.example.com httpsProxy: https://proxy.example.com noProxy: somedomain.com, otherdomain.com