Merge pull request #87483 from DCChadwick/ocpbugs14361

skrthomas · web-flow · commit 72399980fb22 · 2025-01-31T16:44:11.000-05:00
OCPBUGS-14361: adding section on verifying cluster wide proxy configuration
diff --git a/modules/nw-verify-proxy-configuration.adoc b/modules/nw-verify-proxy-configuration.adoc
@@ -0,0 +1,62 @@
+// Module included in the following assemblies:
+//
+// * networking/configuring-a-custom-pki.adoc
+// * networking/enable-cluster-wide-proxy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="nw-verify-proxy-configuration_{context}"]
+= Verifying the cluster-wide proxy configuration
+
+After the cluster-wide proxy configuration is deployed, you can verify that it is working as expected. Follow these steps to check the logs and validate the implementation.
+
+.Prerequisites
+
+* You have cluster administrator permissions.
+* You have the {product-title} `oc` CLI tool installed.
+
+.Procedure
+
+. Check the proxy configuration status using the `oc` command:
++
+[source,terminal]
+----
+$ oc get proxy/cluster -o yaml
+----
+
+. Verify the proxy fields in the output to ensure they match your configuration. Specifically, check the `spec.httpProxy`, `spec.httpsProxy`, `spec.noProxy`, and `spec.trustedCA` fields.
+
+. Inspect the status of the `Proxy` object:
++
+[source,terminal]
+----
+$ oc get proxy/cluster -o jsonpath='{.status}'
+----
++
+.Example output
+[source,terminal]
+----
+{
+status:
+    httpProxy: http://user:xxx@xxxx:3128
+    httpsProxy: http://user:xxx@xxxx:3128
+    noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,localhost,test.no-proxy.com
+}
+----
+
+. Check the logs of the Machine Config Operator (MCO) to ensure that the configuration changes were applied successfully:
++
+[source,terminal]
+----
+$ oc logs -n openshift-machine-config-operator $(oc get pods -n openshift-machine-config-operator -l k8s-app=machine-config-operator -o name)
+----
+
+. Look for messages that indicate the proxy settings were applied and the nodes were rebooted if necessary.
+
+. Verify that system components are using the proxy by checking the logs of a component that makes external requests, such as the Cluster Version Operator (CVO):
++
+[source,terminal]
+----
+$ oc logs -n openshift-cluster-version $(oc get pods -n openshift-cluster-version -l k8s-app=machine-config-operator -o name)
+----
+
+. Look for log entries that show that external requests have been routed through the proxy.
diff --git a/networking/enable-cluster-wide-proxy.adoc b/networking/enable-cluster-wide-proxy.adoc
@@ -28,10 +28,12 @@ include::modules/nw-proxy-configure-object.adoc[leveloffset=+1]
 
 include::modules/nw-proxy-remove.adoc[leveloffset=+1]
 
+include::modules/nw-verify-proxy-configuration.adoc[leveloffset=+1]
+
 [discrete]
 [role="_additional-resources"]
 == Additional resources
 
-* xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Replacing the CA Bundle certificate]
-* xref:../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificate customization]
+* xref:../security/certificates/updating-ca-bundle.adoc#ca-bundle-understanding_updating-ca-bundle[Understanding the CA Bundle certificate]
+* xref:../security/certificate_types_descriptions/proxy-certificates.adoc#customization[Proxy certificates]
 * link:https://access.redhat.com/solutions/7065528[How is the cluster-wide proxy setting applied to {product-title} nodes?]
