openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/doc/source/troubleshooting/proxy.rst
Tin Lam 7a25d3d5c9 Update doc on proxy 
This patchset adds in additional note to allow users to
use the OpenStack client to connect to the services without
the connection routed to the proxy, if one exists.

Change-Id: I8360b1e90d8c0cce6abe7bdc27d71d86427450c4
Signed-off-by: Tin Lam <tin@irrational.io>
2018-01-12 14:35:26 -06:00

3.3 KiB
Raw Blame History

Proxy Setting

This guide is to help enterprise users who wish to deploy OpenStack-Helm behind a corporate firewall and require a corporate proxy to reach the internet.

Proxy Environment Variables

Ensure the following proxy environment variables are defined either through an rc file or through modifying /etc/environment.

export http_proxy="http://username:passwrd@host:port"
export HTTP_PROXY="http://username:passwrd@host:port"
export https_proxy="https://username:passwrd@host:port"
export HTTPS_PROXY="https://username:passwrd@host:port"
export no_proxy="127.0.0.1,localhost,.svc.cluster.local"
export NO_PROXY="127.0.0.1,localhost,.svc.cluster.local"

Note the .svc.cluster.local is needed to allow the OpenStack client to connect without routing the connection to the proxy. Please update to the appropriate domain name if you have a different configuration.

External DNS

In tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml, under external_dns_nameservers, add the internal DNS IP addresses. These entries will overwrite the /etc/resolv.conf on the system. If your network cannot connect to the Google DNS servers, 8.8.8.8 or 8.8.4.4, the updates will fail as they cannot resolve the URLs.

Ansible Playbook

Either globally or in the tasks with pip or apt, ensure you add the following to the task:

environment:
  http_proxy: http://username:password@host:port
  https_proxy: https://username:password@host:port
  no_proxy: 127.0.0.1,localhost

Docker

Docker needs to be configured to use the proxy to pull down external images. For systemd, use a systemd drop-in directory outlined in https://docs.docker.com/engine/admin/systemd/#httphttps-proxy.

  1. Create a systemd drop-in directory for the docker service:
$ sudo mkdir -p /etc/systemd/system/docker.service.d
  1. Create a file called http-proxy.conf in the director created and add in the needed environment variable:
[Service]
Environment="HTTP_PROXY=http://username:password@host:port"
Environment="HTTPS_PROXY=https://username:password@host:port"
Environment="NO_PROXY=127.0.0.1,localhost,docker-registry.somecorporation.com"
  1. Once that's completed, flush the change:
$ systemctl daemon-reload
  1. Restart Docker:
$ systemctl restart docker
  1. Verify the configuration has been loaded:
$ systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/

Kubeadm-AIO Dockerfile

In tools/images/kubeadm-aio/Dockerfile, add the following to the Dockerfile before RUN instructions.

ENV HTTP_PROXY http://username:password@host:port
ENV HTTPS_PROXY http://username:password@host:port
ENV http_proxy http://username:password@host:port
ENV https_proxy http://username:password@host:port
ENV no_proxy 127.0.0.1,localhost,172.17.0.1
ENV NO_PROXY 127.0.0.1,localhost,172.17.0.1

Note the IP address 172.17.0.1 is the advertised IP for the kubernetes API server. Replace it with the appropriate IP if it is different.