From d4a276e5b0e4c0f909b35584c5d3f8e7f04069e8 Mon Sep 17 00:00:00 2001 From: happyfx Date: Fri, 23 Jun 2023 16:43:34 +0300 Subject: [PATCH] feat: add option to use custome CA for https_proxy --- docs/proxy.md | 6 ++++++ inventory/sample/group_vars/all/all.yml | 3 ++- roles/kubespray-defaults/defaults/main.yaml | 6 +++++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/docs/proxy.md b/docs/proxy.md index 9c72019d127..aea84c18278 100644 --- a/docs/proxy.md +++ b/docs/proxy.md @@ -7,6 +7,12 @@ If you set http and https proxy, all nodes and loadbalancer will be excluded fro `http_proxy:"http://example.proxy.tld:port"` `https_proxy:"http://example.proxy.tld:port"` +## Set custom CA + +CA must be already on each target nodes + + `https_proxy_cert_file: /path/to/host/custom/ca.crt` + ## Set default no_proxy (this will override default no_proxy generation) `no_proxy: "node1,node1_ip,node2,node2_ip...additional_host"` diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml index 223b7c70bab..3c2d5a8ded9 100644 --- a/inventory/sample/group_vars/all/all.yml +++ b/inventory/sample/group_vars/all/all.yml @@ -52,9 +52,10 @@ loadbalancer_apiserver_healthcheck_port: 8081 ## When openstack or vsphere are used make sure to source in the required fields # external_cloud_provider: -## Set these proxy values in order to update package manager and docker daemon to use proxies +## Set these proxy values in order to update package manager and docker daemon to use proxies and custom CA for https_proxy if needed # http_proxy: "" # https_proxy: "" +# https_proxy_cert_file: "" ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy # no_proxy: "" diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index be0dff35beb..36d0187afe8 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -652,7 +652,7 @@ host_os: >- # Setting it to 0 allows unlimited requests per second. kubelet_event_record_qps: 5 -proxy_env: +proxy_env_defaults: http_proxy: "{{ http_proxy | default ('') }}" HTTP_PROXY: "{{ http_proxy | default ('') }}" https_proxy: "{{ https_proxy | default ('') }}" @@ -660,6 +660,10 @@ proxy_env: no_proxy: "{{ no_proxy | default ('') }}" NO_PROXY: "{{ no_proxy | default ('') }}" +# If we use SSL_CERT_FILE: {{ omit }} it cause in value __omit_place_holder__ and break environments +# Combine dict is avoiding the problem with omit placeholder. Maybe it can be better solution? +proxy_env: "{{ proxy_env_defaults | combine({ 'SSL_CERT_FILE': https_proxy_cert_file }) if https_proxy_cert_file is defined else proxy_env_defaults }}" + proxy_disable_env: ALL_PROXY: '' FTP_PROXY: ''