openstack/openstack-helm
Code Issues Proposed changes
openstack-helm/doc/source/troubleshooting/proxy.rst
Tin Lam 3c56cd0db9 Add proxy doc 
This patch set outlines troubleshooting details for operators
trying to use OpenStack-Helm behind a corporate firewall and
require the need of a proxy to reach the internet.

Change-Id: I6597a49cfbaa8f7e0461edf1298e724ba9dfe28b
Signed-off-by: Tin Lam <tin@irrational.io>
2018-01-10 21:24:24 -06:00

3.0 KiB
Raw Blame History

Proxy Setting

This guide is to help enterprise users who wish to deploy OpenStack-Helm behind a corporate firewall and require a corporate proxy to reach the internet.

Proxy Environment Variables

Ensure the following proxy environment variables are defined:

export http_proxy="http://username:passwrd@host:port"
export HTTP_PROXY="http://username:passwrd@host:port"
export https_proxy="https://username:passwrd@host:port"
export HTTPS_PROXY="https://username:passwrd@host:port"
export no_proxy="127.0.0.1,localhost"
export NO_PROXY="127.0.0.1,localhost"

External DNS

In tools/images/kubeadm-aio/assets/opt/playbooks/vars.yaml, under external_dns_nameservers, add the internal DNS IP addresses. These entries will overwrite the /etc/resolv.conf on the system. If your network cannot connect to the Google DNS servers, 8.8.8.8 or 8.8.4.4, the updates will fail as they cannot resolve the URLs.

Ansible Playbook

Either globally or in the tasks with pip or apt, ensure you add the following to the task:

environment:
  http_proxy: http://username:password@host:port
  https_proxy: https://username:password@host:port
  no_proxy: 127.0.0.1,localhost

Docker

Docker needs to be configured to use the proxy to pull down external images. For systemd, use a systemd drop-in directory outlined in https://docs.docker.com/engine/admin/systemd/#httphttps-proxy.

  1. Create a systemd drop-in directory for the docker service:
$ sudo mkdir -p /etc/systemd/system/docker.service.d
  1. Create a file called http-proxy.conf in the director created and add in the needed environment variable:
[Service]
Environment="HTTP_PROXY=http://username:password@host:port"
Environment="HTTPS_PROXY=https://username:password@host:port"
Environment="NO_PROXY=127.0.0.1,localhost,docker-registry.somecorporation.com"
  1. Once that's completed, flush the change:
$ systemctl daemon-reload
  1. Restart Docker:
$ systemctl restart docker
  1. Verify the configuration has been loaded:
$ systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/

Kubeadm-AIO Dockerfile

In tools/images/kubeadm-aio/Dockerfile, add the following to the Dockerfile before RUN instructions.

ENV HTTP_PROXY http://username:password@host:port
ENV HTTPS_PROXY http://username:password@host:port
ENV http_proxy http://username:password@host:port
ENV https_proxy http://username:password@host:port
ENV no_proxy 127.0.0.1,localhost,172.17.0.1
ENV NO_PROXY 127.0.0.1,localhost,172.17.0.1

Note the IP address 172.17.0.1 is the advertised IP for the kubernetes API server. Replace it with the appropriate IP if it is different.