Checkout how to configure HTTP proxy settings to the Supervisor and TKG clusters and what is the workflow for configuring a proxy when you register the Supervisor and TKG clusters with Tanzu Misson control.

You can configure a proxy to the Supervisor through the vSphere Client, the Cluster Management API, or DCLI commands. You can use a proxy if you need to handle container traffic or image pulling from networks external to the Supervisor. For on-premises Supervisors that you register as management clusters in Tanzu Mission Control, you use an HTTP proxy for image pulling and container traffic .

Configuring Proxy Settings on Newly-Created vSphere 7.0 Update 3 and Later Supervisors

For newly-created Supervisors on a vSphere 7.0 Update 3 and later environment, HTTP proxy settings are inherited from vCenter Server. No matter if you create the Supervisors before or after you configure HTTP proxy settings on vCenter Server, the settings are inherited by the clusters.

See Configure the DNS, IP Address, and Proxy Settings to learn how to configure the HTTP proxy settings on vCenter Server.

You can also override the inherited HTTP proxy configuration on individual Supervisors through the vSphere Client, Cluster Management API, or DCLI.

Since inheriting the vCenter Server proxy settings is the default configuration for newly-created vSphere 7.0.3 Supervisors, you can also use the Cluster Management API or DCLI to not inherit any HTTP proxy settings in case the Supervisors don't require a proxy, but vCenter Server still does.

Configuring Proxy Settings on Supervisors Upgraded to vSphere 7.0 Update 3 and Later

If you have upgraded your Supervisors to vSphere 7.0 Update 3 and later, the HTTP proxy settings of vCenter Server are not automatically inherited. In that case, you configure proxy settings Supervisors by using the vSphere Client, vcenter/namespace-management/clusters API, or DCLI command line.

Configuring HTTP Proxy to TKG Clusters in vSphere IaaS control plane

Use one of the following methods to configure a proxy to your Tanzu Kubernetes clusters in vSphere IaaS control plane:
Note: If you use Tanzu Mission Control to manage your TKG clusters, you do not have to configure proxy settings through the cluster YAML file in vSphere IaaS control plane. You can configure proxy settings when you add the TKG clusters as workload clusters to Tanzu Mission Control.

Configure HTTP Proxy Setting on the Supervisor by Using the vSphere Client

Checkout how to configure HTTP proxy settings to the Supervisor through the vSphere Client. You can override the proxy settings inherited from vCenter Server on individual Supervisors or select not to use any proxy settings at all.

Prerequisites

  • Verify that you have the Modify cluster-wide configuration privilege on the cluster.

Procedure

  1. In the vSphere Client, navigate to Workload Management.
  2. Under Supervisors, select the Supervisor, and select Configure.
  3. Select Network, expand Proxy Configuration, and click Edit
  4. Select Configure proxy settings on Supervisor and enter the proxy settings.
    Option Description
    TLS Certificate The proxy TLS root CA bundle which is used to verify the proxy's certificates. Enter the bundle in plain text.
    Hosts and IP addresses excluded from proxy A comma separated list of IPv4 addresses, FQDNs, or domain names that do not require the proxy server and can be accessed directly.
    HTTPS Configuration HTTPS settings such as URL, port, user name, and password.
    HTTP Configuration HTTP settings such as URL, port, user name, and password.
  5. Click OK.

Results

The proxy settings you configured on this Supervisor override the settings inherited from vCenter Server.

Using the Cluster Management API and DCLI to Configure HTTP Proxy to Supervisors

You can configure the Supervisor proxy settings through the vcenter/namespace-management/clusters API or DCLI.

The API provides three options for proxy configuration on the Supervisor:

API Setting

Newly-Created vSphere 7.0.3 and Later Supervisors

Supervisors Upgraded to vSphere 7.0.3 and Later

VC_INHERITED This is the default setting for new Supervisors and you don't have to use the API to configure the Supervisors proxy settings. You can just configure proxy settings on vCenter Server through its management interface. Use this setting to push the HTTP proxy configuration to Supervisors upgraded to vSphere 7.0.3 and later.
CLUSTER_CONFIGURED

Use this setting to override the HTTP proxy configuration inherited from vCenter Server in one of the following cases:

  • A Supervisor resides on a different subnet than vCenter Server and a different proxy server is required.
  • The proxy server uses custom CA bundles.

Use this setting to configure HTTP proxy to individual Supervisors upgraded to vSphere 7.0.3 and later in one of the following cases:

  • You cannot use the vCenter Server proxy because the Supervisor resides on a different subnet thanvCenter Server and a different proxy server is required.
  • The proxy server uses custom CA bundles.
NONE Use this setting when the Supervisor has direct connectivity to the internet while vCenter Server requires a proxy. The NONE settings prevents the proxy settings of vCenter Server to be inherited by Supervisors.

To set an HTTP proxy to a Supervisor or modify the existing settings, use the following commands in an SSH session with vCenter Server :

vc_address=<IP address>
cluster_id=domain-c<number>
session_id=$(curl -ksX POST --user '<SSO user name>:<password>' https://$vc_address/api/session | xargs -t)
curl -k -X PATCH -H "vmware-api-session-id: $session_id" -H "Content-Type: application/json" -d '{ "cluster_proxy_config": { "proxy_settings_source": "CLUSTER_CONFIGURED", "http_proxy_config":"<proxy_url>" } }' https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id

You only need to pass the domain_c<number> from the full cluster ID which. For example, take domain-c50 from the following cluster ID: ClusterComputeResource:domain-c50:5bbb510f-759f-4e43-96bd-97fd703b4edb.

When using the VC_INHERITED or NONE settings, omit "http_proxy_config:<proxy_url>" from the command.

To use a custom CA bundle, add a "tlsRootCaBundle": "<TLS_certificate>" to the command by providing the TSL CA certificate in plain text.

For HTTPS proxy settings use the following command:
curl -k -X PATCH -H "vmware-api-session-id: $session_id" 
-H "Content-Type: application/json" -d '{ "cluster_proxy_config": 
{ "proxy_settings_source": "CLUSTER_CONFIGURED", "https_proxy_config":"<proxy_url>" } }' 
https://$vc_address/api/vcenter/namespace-management/clusters/$cluster_id

Using DCLI to Configure HTTP Proxy Settings on Supervisors

You can use the following DCLI command to configure HTTP proxy settings to Supervisors by using the CLUSTER_CONFIGURED setting.

<dcli> namespacemanagement clusters update --cluster domain-c57 --cluster-proxy-config-http-proxy-config <proxy URL> --cluster-proxy-config-https-proxy-config <proxy URL> --cluster-proxy-config-proxy-settings-source CLUSTER_CONFIGURED

Configuring HTTP Proxy Settings on the Supervisor and TKG Clusters for Tanzu Mission Control

To configure an HTTP proxy on Supervisors that you want to register as management clusters with Tanzu Mission Control, follow the steps:

  1. In vSphere, configure HTTP proxy on Supervisors by either inheriting the HTTP proxy settings from vCenter Server, or configuring proxy settings on individual Supervisors through the vSphere Client, Namespace Management Clusters APIs, or DCLI command line.
  2. In Tanzu Mission Control, create proxy configuration object by using the proxy settings you configured to the Supervisors in vSphere IaaS control plane. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster.
  3. In Tanzu Mission Control, use this proxy configuration object when you register the Supervisors as a Management Cluster. See Register a Management Cluster with Tanzu Mission Control and Complete the Registration of a Supervisor Cluster.

To configure an HTTP proxy to TKG clusters that you provision or add as workload clusters in Tanzu Mission Control:

  1. Create a proxy configuration object with the proxy settings that you want to use with Tanzu Kubernetes clusters. See Create a Proxy Configuration Object for a Tanzu Kubernetes Grid Service Cluster.
  2. Use that proxy configuration object when you provision or add Tanzu Kubernetes clusters as workload clusters. See Provision a Cluster and Add a Workload Cluster into Tanzu Mission Control Management