Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to set SSL_CERT_FILE for offline installation using custom CA for https proxy #10215

Merged
merged 1 commit into from
Jun 23, 2023
Merged

Add option to set SSL_CERT_FILE for offline installation using custom CA for https proxy #10215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/proxy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ If you set http and https proxy, all nodes and loadbalancer will be excluded fro
`http_proxy:"http://example.proxy.tld:port"`
`https_proxy:"http://example.proxy.tld:port"`

## Set custom CA

CA must be already on each target nodes

`https_proxy_cert_file: /path/to/host/custom/ca.crt`

## Set default no_proxy (this will override default no_proxy generation)

`no_proxy: "node1,node1_ip,node2,node2_ip...additional_host"`
Expand Down
3 changes: 2 additions & 1 deletion inventory/sample/group_vars/all/all.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,10 @@ loadbalancer_apiserver_healthcheck_port: 8081
## When openstack or vsphere are used make sure to source in the required fields
# external_cloud_provider:

## Set these proxy values in order to update package manager and docker daemon to use proxies
## Set these proxy values in order to update package manager and docker daemon to use proxies and custom CA for https_proxy if needed
# http_proxy: ""
# https_proxy: ""
# https_proxy_cert_file: ""

## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
# no_proxy: ""
Expand Down
6 changes: 5 additions & 1 deletion roles/kubespray-defaults/defaults/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -652,14 +652,18 @@ host_os: >-
# Setting it to 0 allows unlimited requests per second.
kubelet_event_record_qps: 5

proxy_env:
proxy_env_defaults:
http_proxy: "{{ http_proxy | default ('') }}"
HTTP_PROXY: "{{ http_proxy | default ('') }}"
https_proxy: "{{ https_proxy | default ('') }}"
HTTPS_PROXY: "{{ https_proxy | default ('') }}"
no_proxy: "{{ no_proxy | default ('') }}"
NO_PROXY: "{{ no_proxy | default ('') }}"

# If we use SSL_CERT_FILE: {{ omit }} it cause in value __omit_place_holder__ and break environments
# Combine dict is avoiding the problem with omit placeholder. Maybe it can be better solution?
proxy_env: "{{ proxy_env_defaults | combine({ 'SSL_CERT_FILE': https_proxy_cert_file }) if https_proxy_cert_file is defined else proxy_env_defaults }}"

proxy_disable_env:
ALL_PROXY: ''
FTP_PROXY: ''
Expand Down