Create a proxy configuration in VMware Tanzu Mission Control that allows outbound traffic through the proxy that protects your managed clusters.

A proxy configuration identifies the proxy server for one or more clusters and the credentials required to authorize outbound traffic through it. When you create a proxy configuration object, you can use it when registering an Azure AKS, AWS EKS, or a Tanzu Kubernetes Grid management cluster, provisioning a workload cluster, or attaching a cluster.

Note: If you have already set up a proxy configuration in your Tanzu Kubernetes cluster, use those same settings (including the no proxy list) in the proxy configuration you create in Tanzu Mission Control for that cluster.

For information about using this feature with Tanzu Kubernetes Grid Service clusters, see Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster Running in vSphere with Tanzu.

For information about proxy configuration for Azure AKS clusters, see Create a Proxy Configuration Object for AKS Clusters in Tanzu Mission Control.

For information about proxy configuration for AWS EKS clusters, see Create a Proxy Configuration Object for EKS Clusters in Tanzu Mission Control.

Note: Tanzu Mission Control managed AKS and EKS clusters can be configured with transparent mode proxy configuration. In such cases, the Tanzu Mission Control agent and its extensions and components are able to connect via traffic proxy in transparent mode, but for nodes or pods outside the system-vmware-tmc namespace, you must manually set up for using the transparent proxy.

Prerequisites

Log in to the Tanzu Mission Control console, as described in Log In to the Tanzu Mission Control Console.

Make sure you have the appropriate permissions to create a proxy configuration object.
  • To create a proxy configuration, you must be associated with the organization.credential.admin role.
Make sure you have the proxy address and credentials, and the appropriate list of non-proxied addresses for the cluster. If necessary, you can run the following command on your Tanzu Kubernetes Grid management cluster to retrieve the proxy address and the no-proxy CIDRs.
kubectl get kubeadmconfig -n tkg-system

Procedure

  1. In the left navigation pane of the Tanzu Mission Control console, click Administration.
  2. On the Administration page, click the Proxy Configuration tab.
  3. Click Create Proxy Configuration.
  4. On the Create proxy page, enter a name for the proxy configuration.
  5. You can optionally provide a description.
  6. Select the proxy type, either Explicit or Transparent.
    Option Actions
    Explicit
    1. Specify the URL or IP address of the proxy server, and the port on which outbound traffic is allowed.
    2. Enter the credentials (username and password) that permit outbound traffic through the proxy server.
    3. You can optionally enter an alternative server/port and username/password for HTTPS traffic.
    4. If your explicit proxy uses a root certificate or CA certificate (for example, if your proxy uses SSL inspection), enter the certificate into the provided box.
      Note: Custom CA certificates are not supported for Tanzu Kubernetes Grid Service clusters running in vSphere with Tanzu.
    Transparent Provide the custom root or CA certificate in CRT format.

    Transparent proxy is not supported for lifecycle management of Tanzu Kubernetes clusters.

  7. In the No proxy list, you can optionally specify a comma-separated list of outbound destinations that must bypass the proxy server.
  8. Click Create.

What to do next

After you create a proxy configuration object, you can use it when registering a Tanzu Kubernetes Grid management cluster, provisioning a workload cluster, or attaching a conformant Kubernetes cluster.