docs/doc/source/configuration/docker_proxy_config.rst

.. _docker_proxy_config:

==========================
Docker Proxy Configuration
==========================

|org| uses publicly available container runtime registries. If you are
behind a corporate firewall or proxy, you need to set proxy settings.

For example, if the |prod| |OAM| interface or network is behind an http/https
proxy, relative to the Docker registries used by |prod| or applications
running on |prod|, then Docker within |prod| must be configured to use
these http/https proxies.

.. contents::
   :local:
   :depth: 1

--------------
Proxy overview
--------------

The figure below shows how proxies are used in |prod|.


.. include:: /_includes/docker-proxy-config.rest
   :start-after: figures_begin
   :end-before: figures_end


The items labeled *a* and *b* in the figure indicate two configuration files:

*   Configuration file *a* lists sysadmin shell proxy environment variables.
    This file is not required for |prod| bootstrap or any |prod|
    operations. You **must** manually add this file if you are accessing the
    public network via a proxy. You **must** add the following |prod|
    specific IP addresses to the no_proxy list:

    *   registry.local
    *   {controller |OAM| gateway IP/floating IP/host IP}
    *   {controller management floating IP/host IP}
    *   {controller cluster gateway IP}
    *   10.96.0.1 {apiserver cluster IP for Kubernetes}
    *   10.96.0.10 {coredns cluster IP for Kubernetes}
    *   `*.cluster.local`

*   Configuration file *b* lists container runtime proxy variables
    (docker_proxy). Configure these variables in the ``localhost.yml`` file
    before Ansible bootstrap. This file is **required** if you are accessing
    the public network via a proxy. |prod| specific IP addresses will be
    automatically added to the no_proxy list.

The numbered items in the figure indicate the process flow:

#.  In the ``localhost.yml`` file, fill in the Docker proxy section for
    configuration file *b*.

#.  The bootstrap process is responsible for pulling Docker images from either:

    *   the public registry using the proxy setting in (1) or

    *   the private registry within the company/organization network.

    The bootstrap process will push to the registry.local afterwards.

#.  After the Kubernetes API server is running, the bootstrap process will
    communicate with it for further |prod| configuration. You **must** ensure
    the cluster network gateway is set for no_proxy in configuration file *a*.

#.  After |prod| provisioning is complete, any operations that pull Docker
    images will use configuration file *b*. All other operations, including
    kubectl and system operations, will use the sysadmin shell and
    configuration file *a*.


.. include:: /_includes/docker-proxy-config.rest
   :start-after: r3_begin
   :end-before: r3_end

------------------
Set HTTP proxy URL
------------------

To specify the HTTP proxy URL, use the commands:

::

    system service-parameter-modify platform docker http_proxy http://my.proxy.com:1080
    system service-parameter-apply platform

-------------------
Set HTTPS proxy URL
-------------------

To specify the HTTPS proxy URL, use the commands:

::

    system service-parameter-modify platform docker https_proxy https://my.proxy.com:1443
    system service-parameter-apply platform

-------------------------
Set no_proxy address list
-------------------------

A no_proxy address list can be provided for registries not on the other side
of the proxies. This list will be added to the default no_proxy list derived
from localhost, loopback, management, and |OAM| floating addresses at runtime.

Due to a Docker restriction, each address in the no_proxy list must not be in
subnet format and it cannot contain a wildcard. For example:

To specify a no_proxy list, use the commands:

::

    system service-parameter-modify platform docker no_proxy: 1.2.3.4, 5.6.7.8
    system service-parameter-apply platform