Check out how to configure HTTP proxy settings for Supervisor Clusters and Tanzu Kubernetes Grid Service clusters. Learn what is the workflow for configuring HTTP proxy for Supervisor Clusters and Tanzu Kubernetes Grid Service clusters when you register them with Tanzu Mission Control. You use an HTTP proxy for image pulling and container traffic for on-premises Supervisor Clusters that you register as management clusters in Tanzu Mission Control.

Note: You cannot use an HTTP Proxy to pull images for use with vSphere Pods or Supervisor Services. You can only use and HTTP proxy to register on-premises Supervisor Clusters as management clusters in Tanzu Mission Control.

Workflow for Configuring HTTP Proxy Settings on Supervisor Clusters and Tanzu Kubernetes Clusters to Use with Tanzu Mission Control

To configure an HTTP proxy on Supervisor Clusters that you want to register as management clusters with Tanzu Mission Control, follow the steps:

  1. In vSphere, configure HTTP proxy on Supervisor Clusters by either inheriting the HTTP proxy settings from vCenter Server, or configuring proxy settings on individual Supervisor Clusters through the Namespace Management Clusters APIs or DCLI command line.
  2. In Tanzu Mission Control, create proxy configuration object by using the proxy settings you configured to the Supervisor Clusters in vSphere with Tanzu. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster Running in vSphere with Tanzu.
  3. In Tanzu Mission Control, use this proxy configuration object when you register the Supervisor Clusters as a Management Cluster. See Register a Management Cluster with Tanzu Mission Control and Complete the Registration of a Supervisor Cluster in vSphere with Tanzu.

To configure an HTTP proxy to Tanzu Kubernetes Grid Service clusters that you provision or add as workload clusters in Tanzu Mission Control:

  1. Create a proxy configuration object with the proxy settings that you want to use with Tanzu Kubernetes clusters. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster Running in vSphere with Tanzu.
  2. Use that proxy configuration object when you provision or add Tanzu Kubernetes clusters as workload clusters. See Provision a Cluster in vSphere with Tanzu and Add a Workload Cluster into Tanzu Mission Control Management

Configuring HTTP Proxy to Tanzu Kubernetes Grid Service Clusters in vSphere with Tanzu

Use one of the following methods to configure a proxy to your Tanzu Kubernetes clusters in vSphere with Tanzu:
Note: If you use Tanzu Mission Control to manage your Tanzu Kubernetes clusters, you do not have to configure proxy settings through the cluster YAML file in vSphere with Tanzu. You can configure proxy settings when you add the Tanzu Kubernetes Grid Service clusters as workload clusters to Tanzu Mission Control.

Configuring Proxy Settings on Newly-Created vSphere 7.0 Update 3 and Later Supervisor Clusters

For newly-created Supervisor Clusters on a vSphere 7.0 Update 3 and later environment, HTTP proxy settings are inherited from vCenter Server. No matter if you create the Supervisor Clusters before or after you configure HTTP proxy settings on vCenter Server, the settings are inherited by the clusters.

See Configure the DNS, IP Address, and Proxy Settings to learn how to configure the HTTP proxy settings on vCenter Server.

You can also override the inherited HTTP proxy configuration on individual Supervisor Clusters through the Cluster Management API or DCLI.

Since inheriting the vCenter Server proxy settings is the default configuration for newly-created vSphere 7.0.3 Supervisor Clusters, you can also use the Cluster Management API or DCLI to not inherit any HTTP proxy settings in case the Supervisor Clusters don't require a proxy, but vCenter Server still does.

Configuring Proxy Settings on Supervisor Clusters Upgraded to vSphere 7.0 Update 3 and Later

If you have upgraded your Supervisor Clusters to vSphere 7.0 Update 3 and later, the HTTP proxy settings of vCenter Server are not automatically inherited. In that case, you configure proxy settings Supervisor Clusters by using the vcenter/namespace-management/clusters API or DCLI command line.

Using the Cluster Management API to Configure HTTP Proxy on Supervisor Clusters

You configure the Supervisor Cluster proxy settings through the vcenter/namespace-management/clusters API. The API provides three options for proxy configuration on the Supervisor Cluster:

API Setting

Newly-Created vSphere 7.0.3 and Later Supervisor Clusters

Supervisor Clusters Upgraded to vSphere 7.0.3 and Later
VC_INHERITED This is the default setting for new Supervisor Clusters and you don't have to use the API to configure the Supervisor Clusters proxy settings. You can just configure proxy settings on vCenter Server through its management interface. Use this setting to push the HTTP proxy configuration to Supervisor Clusters upgraded to vSphere 7.0.3 and later.
CLUSTER_CONFIGURED

Use this setting to override the HTTP proxy configuration inherited from vCenter Server in one of the following cases:

  • A Supervisor Cluster resides on a different subnet than vCenter Server and a different proxy server is required.
  • The proxy server uses custom CA bundles.

Use this setting to configure HTTP proxy to individual Supervisor Clusters upgraded to vSphere 7.0.3 and later in one of the following cases:

  • You cannot use the vCenter Server proxy because the Supervisor Cluster resides on a different subnet thanvCenter Server and a different proxy server is required.
  • The proxy server uses custom CA bundles.
NONE Use this setting when the Supervisor Cluster has direct connectivity to the internet while vCenter Server requires a proxy. The NONE settings prevents the proxy settings of vCenter Server to be inherited by Supervisor Clusters.

To set an HTTP proxy to a Supervisor Cluster or modify the existing settings, use the following commands in an SSH session with vCenter Server :

vc_address=<IP address>
cluster_id=domain-c<number>
session_id=$(curl -ksX POST --user '<SSO user name>:<password>' https://$vc_address/api/session | xargs -t)
curl -k -X PATCH -H "vmware-api-session-id: $session_id" -H "Content-Type: application/json" -d '{ "cluster_proxy_config": { "proxy_settings_source": "CLUSTER_CONFIGURED", "http_proxy_config":"<proxy_url>" } }' https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id

You only need to pass the domain_c<number> from the full cluster ID which. For example, take domain-c50 from the following cluster ID: ClusterComputeResource:domain-c50:5bbb510f-759f-4e43-96bd-97fd703b4edb.

When using the VC_INHERITED or NONE settings, omit "http_proxy_config:<proxy_url>" from the command.

To use a custom CA bundle, add a "tlsRootCaBundle": "<TLS_certificate>" to the command by providing the TSL CA certificate in plain text.

For HTTPS proxy settings use the following command: 
curl -k -X PATCH -H "vmware-api-session-id: $session_id" 
-H "Content-Type: application/json" -d '{ "cluster_proxy_config": 
{ "proxy_settings_source": "CLUSTER_CONFIGURED", "https_proxy_config":"<proxy_url>" } }' 
https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id

Using DCLI to Configure HTTP Proxy Settings on Supervisor Clusters

You can use the following DCLI command to configure HTTP proxy settings to Supervisor Clusters by using the CLUSTER_CONFIGURED setting.

<dcli> namespacemanagement clusters update --cluster domain-c57 --cluster-proxy-config-http-proxy-config <proxy URL> --cluster-proxy-config-https-proxy-config <proxy URL> --cluster-proxy-config-proxy-settings-source CLUSTER_CONFIGURED