From 8954f9c1d84419df45ae0a985feae2e06a2eed29 Mon Sep 17 00:00:00 2001 From: Pasan Weerasinghe Date: Tue, 14 Jan 2025 16:51:21 -0800 Subject: [PATCH] Proxy configuration docs --- .../compliance/configure-http-proxy.mdx | 96 +++++++++++++++++++ calico-cloud/compliance/index.mdx | 1 + .../compliance/configure-http-proxy.mdx | 56 +++++++++++ calico-enterprise/compliance/index.mdx | 3 +- sidebars-calico-cloud.js | 1 + sidebars-calico-enterprise.js | 1 + 6 files changed, 157 insertions(+), 1 deletion(-) create mode 100644 calico-cloud/compliance/configure-http-proxy.mdx create mode 100644 calico-enterprise/compliance/configure-http-proxy.mdx diff --git a/calico-cloud/compliance/configure-http-proxy.mdx b/calico-cloud/compliance/configure-http-proxy.mdx new file mode 100644 index 0000000000..4376af6df1 --- /dev/null +++ b/calico-cloud/compliance/configure-http-proxy.mdx @@ -0,0 +1,96 @@ +--- +description: Configure an HTTP proxy to use for connections that leave the cluster +--- + +# Configure an outbound HTTP proxy + +$[prodname] supports the use of HTTP proxies for connections that leave the cluster and originate from $[prodname] containers. + +`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables can be set on $[prodname] containers by using a mutating admission webhook, or by configuration through the Installation CR if preferred. In the latter case, the Tigera operator will be responsible for setting proxy environment variables on $[prodname] containers that egress out of the cluster. + +With either environment variable configuration method, the Tigera operator will detect the proxy environment variables that are set on $[prodname] containers that egress out of the cluster and ensure that network policy in the allow-tigera tier allows these connections. + +This page will outline how to configure an HTTP proxy using the Installation CR. + +:::caution + +$[prodname] assumes that you have exempted in-cluster destinations (including the Kubernetes API server) from proxying via the `NO_PROXY` variable. + +::: + +## Configuration via Helm +If you wish to manually configure $[prodname] via Helm to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you will first need to familiarize yourself with how to [customize the $[prodname] Helm chart using values.yaml](../get-started/install-automated#prepare-your-valuesyaml-with-customizations). + +You’ll need to set the proxy configuration in the values.yaml using the `installer.components.installation.proxy` path, e.g.: + +```yaml +installer: + components: + installation: + proxy: + httpProxy: + httpsProxy: + noProxy: +``` + +Additionally, you’ll need to set the proxy configuration directly on the calico-cloud-controller-manager container itself at the `installer.components.ccInstaller.operatorDeployment.spec.template.spec.containers` path, e.g.: + +```yaml +installer: + components: + ccInstaller: + operatorDeployment: + spec: + template: + spec: + containers: + - name: calico-cloud + env: + - name: HTTP_PROXY + value: + - name: HTTPS_PROXY + value: + - name: NO_PROXY + value: + +``` +:::caution + +Ensure that the other required values for the Helm chart are set in the values.yaml file, as indicated by the generated helm install command. + +::: + +## Configuration via Manifest +If you wish to manually configure $[prodname] via manifests to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you’ll need to edit the manifests generated at install and reinstall time. + +First, you’ll need to edit the cc-operator deploy.yaml so that the `calico-cloud/calico-cloud-controller-manager` Deployment resource has your required environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`) set in its `env` section. + +Second, you’ll need to edit the managed-cluster deploy.yaml so that the `calico-cloud/default` Installer resource has the Installation CR proxy configuration set. This is set at the `.spec.components.installation.proxy` path, e.g. + +``` +apiVersion: operator.calicocloud.io/v1 +kind: Installer +metadata: + name: default + namespace: calico-cloud +spec: + clusterName: "proxy-cluster" + resourceVersion: "20241209202443" + components: + installation: + proxy: + httpProxy: + httpsProxy: + noProxy: +``` + +## Validating Configuration +Once your install or reinstall has completed, you can: +* Check the Installation CR to validate that the `.spec.proxy` path has been set as expected +* Check the calico-cloud-controller-manager Deployment to validate that the environment variables have been set on the container as expected + +:::caution + +You can manually edit the two places above to configure $[prodname] to use a proxy, but keep in mind that the reinstall process (via Helm or manifest) may overwrite your changes if you did not follow the steps in previous sections. + +::: diff --git a/calico-cloud/compliance/index.mdx b/calico-cloud/compliance/index.mdx index 934e44d057..dc8fa614fd 100644 --- a/calico-cloud/compliance/index.mdx +++ b/calico-cloud/compliance/index.mdx @@ -15,6 +15,7 @@ Encrypt traffic in your cluster with WireGuard. + diff --git a/calico-enterprise/compliance/configure-http-proxy.mdx b/calico-enterprise/compliance/configure-http-proxy.mdx new file mode 100644 index 0000000000..f718d3d646 --- /dev/null +++ b/calico-enterprise/compliance/configure-http-proxy.mdx @@ -0,0 +1,56 @@ +--- +description: Configure an HTTP proxy to use for connections that leave the cluster +--- + +# Configure an outbound HTTP proxy + +$[prodname] supports the use of HTTP proxies for connections that leave the cluster and originate from $[prodname] containers. + +`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables can be set on $[prodname] containers by using a mutating admission webhook, or by configuration through the Installation CR if preferred. In the latter case, the Tigera operator will be responsible for setting proxy environment variables on $[prodname] containers that egress out of the cluster. + +With either environment variable configuration method, the Tigera operator will detect the proxy environment variables that are set on $[prodname] containers that egress out of the cluster and ensure that network policy in the allow-tigera tier allows these connections. + +This page will outline how to configure an HTTP proxy using the Installation CR. + +:::caution + +$[prodname] assumes that you have exempted in-cluster destinations (including the Kubernetes API server) from proxying via the `NO_PROXY` variable. + +::: + +## Configuration via Helm + +If you wish to manually configure $[prodname] via Helm to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you must [customize the values.yaml](../getting-started/install-on-clusters/kubernetes/helm#prepare-the-installation-configuration) of the $[prodname] helm chart. + +You’ll need to set the proxy configuration in the values.yaml using the `installation.proxy` path, e.g.: + +```yaml +installation: + enabled: true + proxy: + httpProxy: + httpsProxy: + noProxy: +``` + +## Configuration via Manifest +If you wish to manually configure $[prodname] via manifests to set proxy environment variables on $[prodname] containers (rather than using a mutating admission webhook), you’ll need to edit the installation manifests provided by Tigera. + +Specifically, if you are installing $[prodname], you’ll need to edit the custom-resources.yaml. The Installation CR should be updated to set the `spec.proxy` field, e.g. + +```yaml +apiVersion: operator.tigera.io/v1 +kind: Installation +metadata: + name: default +spec: + variant: TigeraSecureEnterprise + imagePullSecrets: + - name: tigera-pull-secret + proxy: + httpProxy: + httpsProxy: + noProxy: +``` + +If you have already installed $[prodname], then you can patch your previously applied Installation CR for the new proxy settings. diff --git a/calico-enterprise/compliance/index.mdx b/calico-enterprise/compliance/index.mdx index 1bcf92bd77..e43433a83e 100644 --- a/calico-enterprise/compliance/index.mdx +++ b/calico-enterprise/compliance/index.mdx @@ -15,4 +15,5 @@ Encrypt traffic in your cluster with WireGuard. - \ No newline at end of file + + diff --git a/sidebars-calico-cloud.js b/sidebars-calico-cloud.js index efd0c0bdb2..14dd348941 100644 --- a/sidebars-calico-cloud.js +++ b/sidebars-calico-cloud.js @@ -298,6 +298,7 @@ module.exports = { 'compliance/overview', 'compliance/compliance-reports-cis', 'compliance/encrypt-cluster-pod-traffic', + 'compliance/configure-http-proxy', ], }, { diff --git a/sidebars-calico-enterprise.js b/sidebars-calico-enterprise.js index 11bf60461b..d6e70773bc 100644 --- a/sidebars-calico-enterprise.js +++ b/sidebars-calico-enterprise.js @@ -459,6 +459,7 @@ module.exports = { 'compliance/overview', 'compliance/compliance-reports-cis', 'compliance/encrypt-cluster-pod-traffic', + 'compliance/configure-http-proxy', ], }, {