This topic describes how to customize HTTP/HTTPS proxies for individual VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) provisioned clusters.

Overview

TKGI applies your HTTP/HTTPS cluster proxies to traffic from the cluster’s Kubernetes and containerd processes, such as the Kubernetes API server, Kube Controller, Kubelet, and containerd daemon.

To create or change a cluster’s proxy configuration, see:


To view a cluster’s proxy configuration, see:


To configure global HTTP/HTTPS proxies for TKGI on vSphere or AWS, see:

These two topics also cover how the proxies work, and how they can be useful.

Create a Cluster with a Custom Proxy Configuration

To create a cluster with a custom proxy configuration:

  1. Define the proxy settings in a configuration file, as described in Proxy Configuration Settings, below.

  2. Pass the file location to the --config-file flag of tkgi create-cluster. See Creating Clusters for more information.

Change a Cluster’s Proxy Configuration

To change a cluster’s proxy configuration:

  1. Define the proxy settings in a configuration file, as described in Proxy Configuration Settings, below.
    • To retain a previous setting, do not include it in the configuration file.
    • To unset a previous setting, set it to {} (for an object) or "" (for a string) in the configuration file.

Note: When you when you use tkgi update-cluster to update an existing cluster, the attached network-profile must consist of only updatable settings.

  1. If you are updating a cluster that uses a public cloud CSI driver, see Limitations on Using a Public Cloud CSI Driver in Release Notes for additional requirements.

  2. Run the following command to update the cluster with the configuration file:

    tkgi update-cluster CLUSTER-NAME --config-file CONFIG-FILE-NAME
    

    Where:

    • CLUSTER-NAME is the name of the existing Kubernetes cluster.
    • CONFIG-FILE-NAME is the path and filename of the configuration file you want to apply to the cluster.

WARNING: Update the configuration file only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.

Proxy Configuration Settings

To configure HTTP/HTTPS settings for a TKGI cluster, you first define them in a cluster configuration JSON file on your local filesystem.

Proxy settings that you can configure are:

Setting Description
http_proxy HTTP proxy URL and credentials. This overrides the global HTTP Proxy settings in the TKGI tile > Networking pane.
https_proxy HTTPS proxy URL and credentials. This overrides the global HTTP Proxy settings in the TKGI tile.
no_proxy Comma-separated list of IP addresses that bypass the proxy for internal communication. This interacts with the tile’s global No Proxy setting based on the global_no_proxy_merge setting, below.
global_no_proxy_merge Boolean value. The default false setting merges the no_proxy setting above with the global No Proxy list set in the tile. Setting this to true overrides the global No Proxy list.


For example, the following configuration file overrides the http_proxy and https_proxy settings in the tile, and merges the no_proxy list here with the no_proxy list set in the tile:

{
  "http_proxy":{
     "url":"http://example.com",
     "username":"admin",
     "password":"admin"
  },
  "https_proxy":{
     "url":"http://example.com",
     "username":"admin",
     "password":"admin"
  },
  "no_proxy":"127.0.0.1,localhost,*.example.com,198.51.100.0/24",
  "global_no_proxy_merge":true
}

Note: Cluster configuration files can also include settings for non-proxy features, such as enabling cluster access by group Managed Service Accounts (gMSAs). You combine all such settings into a single, general-purpose configuration file to pass to the –config-file flag.

View a Cluster’s Proxy Configuration

You can see a cluster’s current proxy configuration by viewing its BOSH manifest:

  1. To identify the names of your cluster deployments:

    bosh deployments
    

    Note: Cluster deployment names start with service-instance_.

  2. To download the manifest for any cluster you want to view:

    bosh -d DEPLOYMENT-NAME manifest > /tmp/YOUR-DEPLOYMENT-MANIFEST.yml
    

    Where:

    • DEPLOYMENT-NAME is the name of your Kubernetes cluster deployment.
    • YOUR-DEPLOYMENT-MANIFEST is the name of your Kubernetes cluster deployment manifest.
  3. Search the manifest for proxy to see its proxy settings under jobs.properties.env, for example:

    jobs:
      - name: containerd
        release: kubo
        properties:
          bridge: cni0
          default_ulimits:
          - nofile=1048576
          env:
            http_proxy: ""
            https_proxy: ""
            no_proxy: .internal,.svc,.svc.cluster.local,.svc.cluster,api.pks.local,10.100.200.0/24,10.200.0.0/16,88.0.0.0/24,192.168.111.0/24,192.168.139.1,192.168.160.0/24,nsxmanager.pks.vmware.local
          ip_masq: false
          iptables: false
          live_restore: true
          log_level: error
          log_options:
          - max-size=128m
          - max-file=2
          storage_driver: overlay2
          store_dir: /var/vcap/store
    
check-circle-line exclamation-circle-line close-line
Scroll to top icon