From 7d0ba8e54d6f059bff52bdab94be02abcd682dde Mon Sep 17 00:00:00 2001 From: Jason Boxman Date: Fri, 2 Oct 2020 13:57:26 -0400 Subject: [PATCH] A self signed trust bundle breaks image pulls - https://bugzilla.redhat.com/show_bug.cgi?id=1845929 --- modules/nw-proxy-configure-object.adoc | 14 +++++++------- modules/nw-proxy-remove.adoc | 3 +-- networking/enable-cluster-wide-proxy.adoc | 7 ++++--- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/nw-proxy-configure-object.adoc b/modules/nw-proxy-configure-object.adoc index c964a2598ada..4c4104284601 100644 --- a/modules/nw-proxy-configure-object.adoc +++ b/modules/nw-proxy-configure-object.adoc @@ -7,9 +7,7 @@ [id="nw-proxy-configure-object_{context}"] = Enabling the cluster-wide proxy -The Proxy object is used to manage the cluster-wide egress proxy. When a cluster is -installed or upgraded without the proxy configured, a Proxy object is still -generated but it will have a nil `spec`. For example: +The `Proxy` object is used to manage the cluster-wide egress proxy. When a cluster is installed or upgraded without the proxy configured, a `Proxy` object is still generated but it will have a nil `spec`. For example: [source,yaml] ---- @@ -24,11 +22,13 @@ status: ---- A cluster administrator can configure the proxy for {product-title} by modifying -this `cluster` Proxy object. +the `Proxy` object named `cluster`. -NOTE: Only the Proxy object named `cluster` is supported, and no additional +NOTE: Only the `Proxy` object named `cluster` is supported, and no additional proxies can be created. +IMPORTANT: When a pod pulls an image from an image registry, the use of a self-signed certificate in the trust bundle specified by the `trustCA` field is not supported. The image pull fails with an error. + .Prerequisites * Cluster administrator permissions @@ -58,7 +58,7 @@ metadata: <1> This data key must be named `ca-bundle.crt`. <2> One or more PEM-encoded X.509 certificates used to sign the proxy's identity certificate. -<3> The ConfigMap name that will be referenced from the Proxy object. +<3> The ConfigMap name that will be referenced from the `Proxy` object. <4> The ConfigMap must be in the `openshift-config` namespace. .. Create the ConfigMap from this file: @@ -68,7 +68,7 @@ identity certificate. $ oc create -f user-ca-bundle.yaml ---- -. Use the `oc edit` command to modify the Proxy object: +. Use the `oc edit` command to modify the `Proxy` object: + [source,terminal] ---- diff --git a/modules/nw-proxy-remove.adoc b/modules/nw-proxy-remove.adoc index a249c2165976..4f426258f9c5 100644 --- a/modules/nw-proxy-remove.adoc +++ b/modules/nw-proxy-remove.adoc @@ -5,8 +5,7 @@ [id="nw-proxy-remove_{context}"] = Removing the cluster-wide proxy -The `cluster` Proxy object cannot be deleted. To remove the proxy from a cluster, -remove all `spec` fields from the Proxy object. +The `Proxy` object named `cluster` cannot be deleted. To remove the proxy from a cluster, remove all `spec` fields from the `Proxy` object. .Prerequisites diff --git a/networking/enable-cluster-wide-proxy.adoc b/networking/enable-cluster-wide-proxy.adoc index 07b0046c8b98..d284f3bf2239 100644 --- a/networking/enable-cluster-wide-proxy.adoc +++ b/networking/enable-cluster-wide-proxy.adoc @@ -9,16 +9,17 @@ Production environments can deny direct access to the Internet and instead have [IMPORTANT] ==== -The cluster-wide proxy is only supported if you used a user-provisioned infrastructure installation or provide your own networking, such as a virtual private cloud or virual network, for a supported provider. +The cluster-wide proxy is supported only if you used a user-provisioned infrastructure installation or provide your own networking, such as a virtual private cloud or virtual network, for a supported provider. ==== +[id="enable-cluster-wide-proxy-prerequisites"] == Prerequisites -* Review the xref:../installing/install_config/configuring-firewall.adoc#configuring-firewall[sites that your cluster requires access to] and determine whether any of them must bypass the proxy. By default, all cluster egress traffic is proxied, including calls to the cloud provider API for the cloud that hosts your cluster. Add sites to the Proxy object's `spec.noProxy` field to bypass the proxy if necessary. +* Review the xref:../installing/install_config/configuring-firewall.adoc#configuring-firewall[sites that your cluster requires access to] and determine whether any of them must bypass the proxy. By default, all cluster egress traffic is proxied, including calls to the cloud provider API for the cloud that hosts your cluster. Add sites to the `Proxy` object `spec.noProxy` field to bypass the proxy if necessary. + [NOTE] ==== -The Proxy object's `status.noProxy` field is populated by default with the instance metadata endpoint (`169.254.169.254`) and with the values of the `networking.machineNetwork[].cidr`, `networking.clusterNetwork[].cidr`, and `networking.serviceNetwork[]` fields from your installation configuration. +The `Proxy` object `status.noProxy` field is populated by default with the instance metadata endpoint (`169.254.169.254`) and with the values of the `networking.machineNetwork[].cidr`, `networking.clusterNetwork[].cidr`, and `networking.serviceNetwork[]` fields from your installation configuration. ==== include::modules/nw-proxy-configure-object.adoc[leveloffset=+1]