IBM Cloud Private Installation Behind a Proxy
Following our last post, IBM Cloud Private Offline Installation, we had many questions around how to deploy and make IBM Cloud Private work behind a restrictive HTTP Proxy.
The main issue is how to let Docker work behind a proxy server during a docker pull. The other issue is around Helm tiller and making it work behind a proxy to populate the App Catalog.
Note 1: If you’ve already deployed IBM Cloud Private and want to configure proxy settings post-installation, jump to the end of this article.
Note 2: This article has been updated for IBM Cloud Private 2.1.0.3
Goal:
- Demonstrate how to install and deploy IBM Cloud Private behind a proxy, which is very common in an enterprise environment.
Assumptions and guidance:
- You have a common understanding of IBM Cloud Private. Please review the overview, architecture and components sections of the IBM Cloud Private documentation in IBM Knowledge Center.
- You’re on Red Hat Enterprise Linux 7.4 and IBM Cloud Private 2.1.0.2 or 2.1.0.3.
- You are a root user. If not, all operations in this article should performed by a privileged user by prepending all commands with
sudo. - Remember to verify the target of each command in the command line prompt. Some commands need to be applied on all nodes, others on the boot node.
IBM Cloud Private HTTP Proxy Configuration
The steps below need to be applied during installation directly after installation of Docker.
1. Create the docker.service.d/ folder
On all nodes (Master, Management, Proxy and Work nodes), perform the following commands:
user@allnodes.icp:~$ sudo mkdir -p /etc/systemd/system/docker.service.dCreate the docker.service.d/http-proxy.conf file and add the following variables: HTTP_PROXY, HTTPS_PROXY and NO_PROXY.
user@allnodes.icp:~$ sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf[Service]
Environment="HTTP_PROXY=http://1.2.3.4:8080" "HTTPS_PROXY=http://1.2.3.4:8080" "NO_PROXY=localhost,127.0.0.1,mycluster.icp,<ICP ip address/range>"
Note 1: There shouldn’t be any carriage return / new line within the
[Service]stanza —Environment and HTTP_PROXY and NO_PROXYare on the same line and separated by a space.Note 2: The
NO_PROXYentry dictates that no proxy should be used for the IBM Cloud Private’s Docker private registry; make sure you add thedocker-registry.mycluster.icpto whatever is the hostname of your private Docker registry and change<ICPipaddress/range>to the IP address range of your ICP nodes. For example192.168.1.0/24. This is to make sure that Docker doesn’t use the proxy for inter-Docker communications.
2. Restart Docker
user@allnodes.icp:~$ sudo systemctl daemon-reload
user@allnodes.icp:~$ sudo systemctl restart dockerMore information on how to configure proxy settings for Docker is available here.
Now, continue the IBM Cloud Private installation process normally until you’re about to manually edit the IBM Cloud Private config.yaml file.
3. Customize the IBM Cloud Private config.yaml file
In the config.yaml file, there are tiller_http_proxy and tiller_https_proxy entries that needs to be added to configure an HTTP proxy throughout the installation:
user@bootnode.icp:~$ sudo vi /opt/ibm-cloud-private-ee-2.1.0.3/cluster/config.yaml# Licensed Materials - Property of IBM
# IBM Cloud private
# @ Copyright IBM Corp. 2017 All Rights Reserved
# US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
---## Network Settings
network_type: calico
## Network in IPv4 CIDR format
network_cidr: 10.1.0.0/16## Kubernetes Settings
service_cluster_ip_range: 10.0.0.1/24## Makes the Kubelet start if swap is enabled on the node. Remove
## this if your production env want to disble swap.
kubelet_extra_args: ["--fail-swap-on=false"]...tiller_http_proxy: http://1.2.3.4.8080
tiller_https_proxy: http://1.2.3.4.8080...
If you’re deploying Docker automatically using the IBM Cloud Private Installer, add the following Docker environment variables in your config.yaml file.
## Docker Settings
docker_env: ["HTTP_PROXY=http://1.2.3.4:8080", "HTTPS_PROXY=http://1.2.3.4:8080", "NO_PROXY=localhost, 127.0.0.1, mycluster.icp, <ICP ip address/range>"]This will configure the Helm tiller daemon proxy settings in order to populate the IBM Cloud Private App Catalog.
Resume installation steps normally and that’s it.
After installation is complete, you can validate that the proxy entries have been correctly committed into IBM Cloud Private by accessing the /opt/ibm-cloud-private-ee-2.1.0.3/cluster/cfc-components/helm/helm-api.yaml file.
Password Protected Proxies
For password protected proxies make sure you use the following notation:
http://username:password@1.2.3.4:80804. Post-Installation Proxy Configuration
You can edit proxy settings post-installation, we just need to edit a few things:
- Go to Workloads -> Deployments.
- In Deployments search for
helm-api.
- Click on Edit and look for the following lines:
{
"name": "HTTP_PROXY"
},
{
"name": "HTTPS_PROXY"
},
{
"name": "NO_PROXY",
"value": "<ICP cluster IP>,mycluster.icp,cloudantdb,platform-identity-provider,localhost,127.0.0.1"
},
- Edit the
HTTP_PROXYandHTTPS_PROXYas you see fit.
{
"name": "HTTP_PROXY",
"value": "http://1.2.3.4.8080"
},
{
"name": "HTTPS_PROXY",
"value": "http://1.2.3.4.8080"
},
{
"name": "NO_PROXY",
"value": "<ICP cluster IP>,mycluster.icp,cloudantdb,platform-identity-provider,icp-management-ingress,platform-auth-service,localhost,127.0.0.1"
},Note: Depending on your environment, your
NO_PROXYmay vary; for example, mine included Kubernetes Ingresses and Services resources. It is important that NO_PROXY is correctly configured to avoid ICP nodes talking to each other over the proxy which will not work.
- Click on Submit and you’re done.
More information
- IBM Cloud Private documentation
- IBM Cloud Private extensive
config.yamland Docker’shttp-proxy.confdocumentation in Customizing the cluster with the config.yaml file - For assistance, ask questions on the public IBM Cloud Private Slack channel or Stack Overflow.
