The ExternalDNS Operator can work in an environment with a cluster-wide egress proxy set up. There is some configuration to be done to make the operator aware of the proxy:
- operator container's environment has to be populated with one (or all) of the following variables:
HTTP_PROXY,HTTPS_PROXY,NO_PROXY. - if the proxy uses some custom TLS certificate authority (CA), it has to be put into a configmap and passed to the operator via the
--trusted-ca-configmapflag.
The ExternalDNS Operator doesn't need the proxy settings on its own because it doesn't interact with DNS providers. However, it has to propagate the proxy settings and CA certificate down to its operand: the ExternalDNS instance.
Set HTTP proxy URLs for the operator's deployment:
kubectl -n external-dns-operator set env deployment/external-dns-operator HTTP_PROXY=http://myproxy.net HTTPS_PROXY=https://myproxy.net NO_PROXY=.cluster.local,.svc-
Create a configmap containing the PEM-encoded proxy CA certificate in the
external-dns-operatornamespace:kubectl -n external-dns-operator create configmap trusted-ca --from-file=ca-bundle.crt=/path/to/ca/certificate.pem
-
Patch the operator's deployment to reference the configmap created in the previous step:
# "external-dns-operator" container is patched (first number: 0) # "TRUSTED_CA_CONFIGMAP_NAME" environment variable is patched (second number: 2) kubectl -n external-dns-operator patch deployment external-dns-operator --type='json' -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/2/value", "value":"trusted-ca"}]'
If a global proxy is configured on the OpenShift cluster, OLM automatically configures Operators with cluster-wide proxy settings. HTTP_PROXY, HTTPS_PROXY, NO_PROXY environment variables are added to the ExternalDNS Operator's deployment.
-
Create a configmap for the proxy CA certificate in the
external-dns-operatornamespace:oc -n external-dns-operator create configmap trusted-ca oc -n external-dns-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true
-
Add
spec.config.envwith the name of the configmap created in the previous step to your subscription created by OperatorHub:oc -n external-dns-operator patch subscription external-dns-operator --type='json' -p='[{"op": "add", "path": "/spec/config", "value":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}]'
You can use the following steps after the external-dns-operator namespace has been created and before the operator deployment has been created.
-
Create a configmap for the proxy CA certificate in the
external-dns-operatornamespace:oc -n external-dns-operator create configmap trusted-ca oc -n external-dns-operator label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true
-
Create the
Subscriptionobject:cat <<EOF | oc apply -f - apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: external-dns-operator namespace: external-dns-operator spec: channel: stable-v1 name: external-dns-operator source: external-dns-operator sourceNamespace: openshift-marketplace config: env: - name: TRUSTED_CA_CONFIGMAP_NAME value: trusted-ca EOF