Skip to content

Commit bfd632f

Browse files
authored
Merge pull request #74572 from AedinC/OSDOCS-10104
OSDOCS#10104:Removed warning from Networking docs as transparent forward proxies now supported in OSD/ROSA
2 parents 941c68a + 0461c0d commit bfd632f

5 files changed

+12
-29
lines changed

modules/cluster-wide-proxy-preqs.adoc

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -86,10 +86,4 @@ When using a cluster-wide proxy, you must configure the `s3.<aws_region>.amazona
8686
|Used by the splunk-forwarder-operator as a log forwarding endpoint to be used by Red Hat SRE for log-based alerting.
8787
|===
8888
--
89-
+
90-
[IMPORTANT]
91-
====
92-
The use of a proxy server to perform TLS re-encryption is currently not supported if the server is acting as a transparent forward proxy where it is not configured on-cluster via the `--http-proxy` or `--https-proxy` arguments.
9389

94-
A transparent forward proxy intercepts the cluster traffic, but it is not actually configured on the cluster itself.
95-
====

modules/configuring-a-proxy-after-installation-cli.adoc

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -29,22 +29,21 @@ The cluster applies the proxy configuration to the control plane and compute nod
2929
$ rosa edit cluster \
3030
--cluster $CLUSTER_NAME \
3131
--additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
32-
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <4>
33-
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <4>
34-
--no-proxy example.com <5>
32+
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <3>
33+
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <3>
34+
--no-proxy example.com <4>
3535
----
3636
+
3737
--
3838
<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
39-
<2> If you use the `additional-trust-bundle-file` argument without an `http-proxy` or `https-proxy` argument, the trust bundle is added to the trust store and used to verify cluster system egress traffic. In that scenario, the bundle is not configured to be used with a proxy.
40-
<3> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
39+
<2> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
4140
+
4241
[NOTE]
4342
====
4443
You should not attempt to change the proxy or additional trust bundle configuration on the cluster directly. These changes must be applied by using the ROSA CLI (`rosa`) or {cluster-manager-first}. Any changes that are made directly to the cluster will be reverted automatically.
4544
====
46-
<4> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
47-
<5> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
45+
<3> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
46+
<4> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
4847
+
4948
Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
5049
If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.

modules/configuring-a-proxy-after-installation-ocm.adoc

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,6 @@ endif::openshift-dedicated[]
4141
+
4242
If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.
4343
+
44-
[NOTE]
45-
====
46-
If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.
47-
====
4844
.. Click *Confirm*.
4945

5046
.Verification

modules/configuring-a-proxy-during-installation-cli.adoc

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,17 +23,16 @@ The following procedure provides details about the ROSA CLI (`rosa`) arguments t
2323
$ rosa create cluster \
2424
<other_arguments_here> \
2525
--additional-trust-bundle-file <path_to_ca_bundle_file> \ <1> <2> <3>
26-
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <4>
27-
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <4>
28-
--no-proxy example.com <5>
26+
--http-proxy http://<username>:<password>@<ip>:<port> \ <1> <3>
27+
--https-proxy https://<username>:<password>@<ip>:<port> \ <1> <3>
28+
--no-proxy example.com <4>
2929
----
3030
+
3131
--
3232
<1> The `additional-trust-bundle-file`, `http-proxy`, and `https-proxy` arguments are all optional.
33-
<2> If you use the `additional-trust-bundle-file` argument without an `http-proxy` or `https-proxy` argument, the trust bundle is added to the trust store and used to verify cluster system egress traffic. In that scenario, the bundle is not configured to be used with a proxy.
34-
<3> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
35-
<4> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
36-
<5> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
33+
<2> The `additional-trust-bundle-file` argument is a file path pointing to a bundle of PEM-encoded X.509 certificates, which are all concatenated together. The `additionalTrustBundle` parameter is required unless the identity certificate of the proxy is signed by an authority from the {op-system} trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
34+
<3> The `http-proxy` and `https-proxy` arguments must point to a valid URL.
35+
<4> A comma-separated list of destination domain names, IP addresses, or network CIDRs to exclude proxying.
3736
+
3837
Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass proxy for all destinations.
3938
If you scale up workers that are not included in the network defined by the `networking.machineNetwork[].cidr` field from the installation configuration, you must add them to this list to prevent connection issues.

modules/osd-create-cluster-ccs.adoc

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -311,11 +311,6 @@ endif::osd-on-aws[]
311311
** In the *Additional trust bundle* field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the {op-system-first} trust bundle.
312312
+
313313
If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.
314-
+
315-
[NOTE]
316-
====
317-
If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.
318-
====
319314
.. Click *Next*.
320315
--
321316
+

0 commit comments

Comments
 (0)