Checkout how to configure HTTP proxy settings to the Supervisor and TKG clusters and what is the workflow for configuring a proxy when you register the Supervisor and TKG clusters with Tanzu Misson control.
You can configure a proxy to the Supervisor through the vSphere Client, the Cluster Management API, or DCLI commands. You can use a proxy if you need to handle container traffic or image pulling from networks external to the Supervisor. For on-premises Supervisors that you register as management clusters in Tanzu Mission Control, you use an HTTP proxy for image pulling and container traffic .
Configuring Proxy Settings on Newly-Created vSphere 7.0 Update 3 and Later Supervisors
For newly-created Supervisors on a vSphere 7.0 Update 3 and later environment, HTTP proxy settings are inherited from vCenter Server. No matter if you create the Supervisors before or after you configure HTTP proxy settings on vCenter Server, the settings are inherited by the clusters.
See Configure the DNS, IP Address, and Proxy Settings to learn how to configure the HTTP proxy settings on vCenter Server.
You can also override the inherited HTTP proxy configuration on individual Supervisors through the vSphere Client, Cluster Management API, or DCLI.
Since inheriting the vCenter Server proxy settings is the default configuration for newly-created vSphere 7.0.3 Supervisors, you can also use the Cluster Management API or DCLI to not inherit any HTTP proxy settings in case the Supervisors don't require a proxy, but vCenter Server still does.
Configuring Proxy Settings on Supervisors Upgraded to vSphere 7.0 Update 3 and Later
If you have upgraded your Supervisors to vSphere 7.0 Update 3 and later, the HTTP proxy settings of vCenter Server are not automatically inherited. In that case, you configure proxy settings Supervisors by using the vSphere Client, vcenter/namespace-management/clusters
API, or DCLI command line.
Configuring HTTP Proxy to TKG Clusters in vSphere IaaS control plane
- Configure proxy settings to individual TKG clusters. See Configuration Parameters for Provisioning Tanzu Kubernetes Clusters Using the Tanzu Kubernetes Grid Service v1alpha2 API. For an example configuration YAML, see Example YAML for Provisioning a Custom Tanzu Kubernetes Cluster Using the Tanzu Kubernetes Grid Service v1alpha2 API.
- Create a global proxy configuration that will be applied to all TKG clusters. See Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha2 API.
Configure HTTP Proxy Setting on the Supervisor by Using the vSphere Client
Checkout how to configure HTTP proxy settings to the Supervisor through the vSphere Client. You can override the proxy settings inherited from vCenter Server on individual Supervisors or select not to use any proxy settings at all.
Prerequisites
- Verify that you have the Modify cluster-wide configuration privilege on the cluster.
Procedure
- In the vSphere Client, navigate to Workload Management.
- Under Supervisors, select the Supervisor, and select Configure.
- Select Network, expand Proxy Configuration, and click Edit
- Select Configure proxy settings on Supervisor and enter the proxy settings.
Option Description TLS Certificate The proxy TLS root CA bundle which is used to verify the proxy's certificates. Enter the bundle in plain text. Hosts and IP addresses excluded from proxy A comma separated list of IPv4 addresses, FQDNs, or domain names that do not require the proxy server and can be accessed directly. HTTPS Configuration HTTPS settings such as URL, port, user name, and password. HTTP Configuration HTTP settings such as URL, port, user name, and password. - Click OK.
Results
Using the Cluster Management API and DCLI to Configure HTTP Proxy to Supervisors
You can configure the Supervisor proxy settings through the vcenter/namespace-management/clusters
API or DCLI.
API Setting |
Newly-Created vSphere 7.0.3 and Later Supervisors |
Supervisors Upgraded to vSphere 7.0.3 and Later |
---|---|---|
VC_INHERITED | This is the default setting for new Supervisors and you don't have to use the API to configure the Supervisors proxy settings. You can just configure proxy settings on vCenter Server through its management interface. | Use this setting to push the HTTP proxy configuration to Supervisors upgraded to vSphere 7.0.3 and later. |
CLUSTER_CONFIGURED | Use this setting to override the HTTP proxy configuration inherited from vCenter Server in one of the following cases:
|
Use this setting to configure HTTP proxy to individual Supervisors upgraded to vSphere 7.0.3 and later in one of the following cases:
|
NONE | Use this setting when the Supervisor has direct connectivity to the internet while vCenter Server requires a proxy. The NONE settings prevents the proxy settings of vCenter Server to be inherited by Supervisors. |
To set an HTTP proxy to a Supervisor or modify the existing settings, use the following commands in an SSH session with vCenter Server :
vc_address=<IP address> cluster_id=domain-c<number> session_id=$(curl -ksX POST --user '<SSO user name>:<password>' https://$vc_address/api/session | xargs -t) curl -k -X PATCH -H "vmware-api-session-id: $session_id" -H "Content-Type: application/json" -d '{ "cluster_proxy_config": { "proxy_settings_source": "CLUSTER_CONFIGURED", "http_proxy_config":"<proxy_url>" } }' https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id
You only need to pass the domain_c<number>
from the full cluster ID which. For example, take domain-c50
from the following cluster ID: ClusterComputeResource:domain-c50:5bbb510f-759f-4e43-96bd-97fd703b4edb
.
When using the VC_INHERITED
or NONE
settings, omit "http_proxy_config:<proxy_url>"
from the command.
To use a custom CA bundle, add a "tlsRootCaBundle": "<TLS_certificate>
" to the command by providing the TSL CA certificate in plain text.
curl -k -X PATCH -H "vmware-api-session-id: $session_id" -H "Content-Type: application/json" -d '{ "cluster_proxy_config": { "proxy_settings_source": "CLUSTER_CONFIGURED", "https_proxy_config":"<proxy_url>" } }' https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id
Using DCLI to Configure HTTP Proxy Settings on Supervisors
You can use the following DCLI command to configure HTTP proxy settings to Supervisors by using the CLUSTER_CONFIGURED setting.
<dcli> namespacemanagement clusters update --cluster domain-c57 --cluster-proxy-config-http-proxy-config <proxy URL> --cluster-proxy-config-https-proxy-config <proxy URL> --cluster-proxy-config-proxy-settings-source CLUSTER_CONFIGURED
Configuring HTTP Proxy Settings on the Supervisor and TKG Clusters for Tanzu Mission Control
To configure an HTTP proxy on Supervisors that you want to register as management clusters with Tanzu Mission Control, follow the steps:
- In vSphere, configure HTTP proxy on Supervisors by either inheriting the HTTP proxy settings from vCenter Server, or configuring proxy settings on individual Supervisors through the vSphere Client, Namespace Management Clusters APIs, or DCLI command line.
- In Tanzu Mission Control, create proxy configuration object by using the proxy settings you configured to the Supervisors in vSphere IaaS control plane. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster.
- In Tanzu Mission Control, use this proxy configuration object when you register the Supervisors as a Management Cluster. See Register a Management Cluster with Tanzu Mission Control and Complete the Registration of a Supervisor Cluster.
To configure an HTTP proxy to TKG clusters that you provision or add as workload clusters in Tanzu Mission Control:
- Create a proxy configuration object with the proxy settings that you want to use with TKG clusters. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster.
- Use that proxy configuration object when you provision or add TKG clusters as workload clusters. See Provision a Cluster and Add a Workload Cluster into Tanzu Mission Control Management