23.8. 配置集群范围代理
您可以在 AWS Load Balancer Operator 中配置集群范围代理。在 AWS Load Balancer Operator 中配置集群范围代理后,Operator Lifecycle Manager (OLM) 会自动使用 HTTP_PROXY、HTTPS_PROXY 和 NO_PROXY 等环境变量更新 Operator 的所有部署。这些变量由 AWS Load Balancer Operator 填充给受管控制器。
23.8.1. 配置 AWS Load Balancer Operator 以信任集群范围代理的证书颁发机构
运行以下命令,创建配置映射来在
aws-load-balancer-operator命名空间中包含证书颁发机构 (CA) 捆绑包,并将 OpenShift Container Platform 信任的 CA 捆绑包注入配置映射中:$ oc -n aws-load-balancer-operator create configmap trusted-ca
要将可信 CA 捆绑包注入配置映射中,请运行以下命令将
config.openshift.io/inject-trusted-cabundle=true标签添加到配置映射中:$ oc -n aws-load-balancer-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true
运行以下命令,更新 AWS Load Balancer Operator 部署中的订阅以访问 AWS Load Balancer Operator 部署中的配置映射:
$ oc -n aws-load-balancer-operator patch subscription aws-load-balancer-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}],"volumes":[{"name":"trusted-ca","configMap":{"name":"trusted-ca"}}],"volumeMounts":[{"name":"trusted-ca","mountPath":"/etc/pki/tls/certs/albo-tls-ca-bundle.crt","subPath":"ca-bundle.crt"}]}}}'部署 AWS Load Balancer Operator 后,运行以下命令来验证 CA 捆绑包是否已添加到
aws-load-balancer-operator-controller-manager部署中:$ oc -n aws-load-balancer-operator exec deploy/aws-load-balancer-operator-controller-manager -c manager -- bash -c "ls -l /etc/pki/tls/certs/albo-tls-ca-bundle.crt; printenv TRUSTED_CA_CONFIGMAP_NAME"
输出示例
-rw-r--r--. 1 root 1000690000 5875 Jan 11 12:25 /etc/pki/tls/certs/albo-tls-ca-bundle.crt trusted-ca
可选:通过运行以下命令,每次 configmap 发生变化时重启 AWS Load Balancer Operator 的部署:
$ oc -n aws-load-balancer-operator rollout restart deployment/aws-load-balancer-operator-controller-manager