This can be used to add a proxy and/or a CA cert to guest clusters automatically. This will run as a native pod in the supervsior cluster and continously ssh out to the guest cluster nodes and make sure they have the proxy and cert configured.When using this with VDS networking the pod will run on the control plane since natiev pods are unavailable. This will run on a per namespace basis due to some limitiations with the default firewall rules applied between namespaces with NSX-T. This also leverages the docker-registry
running in the supervisor cluster to store the proxy-inject
docker image to reduce external dependencies on internal regsitries existing.
NOTE: when upgrading the Supervisor Cluster it will role the nodes so the image for proxy-inject that is stored on the local registry will be removed. you will need to re-run the install script to re-upload the image otherwise you will get image pull errors
if you are running a supervisor cluster that is v1.18.2-vsc0.0.6-17224208
or higher please use 1.3.0
and up. if you are only an older version use 1.2.0
- ssh to vcenter and hop into shell
- be sure to do a DCLI login otherwise the script will hang waiting for a password
- copy this repo over to your vcenter
- grab the
proxy-inject.tar.gz
from the releases and upload it to your vcenter VM. you can do this scp or if you have internet connection out from vcenter just pull it down to the vm. copy it into the newly created repo directory - open
env.sh
and fill in the variables- if you do not want to have a proxy installed and just want to add a cert you can remove the proxy specific vars and it will skip the proxy.
- if you do not want a cert to be added you can leave out the
REG_CERT
variable and it will be skipped.
- execute
install.sh
- ssh to vcenter and hop into shell
- copy your
env.sh
out of the root repo folder - pull down the latest release of the code base to replace the existing one
- pull down the latest release of
proxy-inject.tar.gz
to replace the existing one - copy your
env.sh
back into the root of the repo replacing the default one - update any new env vars
- execute
install.sh
all vars are set in env.sh
VSPHERE_CLUSTER
- the vsphere cluster name that wcp is enabled onDEPLOY_NS
- namespace that the proxy pod will be deployed intoTKC_HTTPS_PROXY
- valid http proxy that you want to useTKC_HTTP_PROXY
- valid https proxy that you want to useTKC_NO_PROXY
- no proxy listREG_CERT
- the registry ca cert to trust an untrusted registryINTERVAL
- interval to run the script
if your proxy uses auth you can add the username and pass inline in the env var. ex.
TKC_HTTPS_PROXY='http://someuser:somepassword@proxy.com'
if your proxy password has a $
be sure to escape it. you will need to use \\
since it needs to be escaped for the k8s manifest as well as for the environment.
ex.
pa\\$sword
NOTE: NOT TESTED FOR PRODUCTION USE