IBM Cloud Private installation behind an HTTP proxy
IBM Cloud Private requires Docker. You must manually install Docker on your boot node. You can either manually install Docker on the rest of your cluster nodes, or the installer can automatically install Docker.
-
If you installed Docker manually, follow the steps to install IBM Cloud Private behind an HTTP proxy.
-
Create the
docker.service.d/
folder. On all nodes (boot, master, management, proxy, work, and VA nodes), perform the following commands:sudo mkdir -p /etc/systemd/system/docker.service.d
-
Create the
docker.service.d/http-proxy.conf
file and add the following variables:HTTP_PROXY
,HTTPS_PROXY
andNO_PROXY
.sudo vi /etc/systemd/system/docker.service.d/http-proxy.conf [Service] Environment="HTTP_PROXY=http://1.2.3.4:3128" "HTTPS_PROXY=http://1.2.3.4:3128" "NO_PROXY=localhost,127.0.0.1,<cluster_CA_domain>,<ICP ip address/range>"
Note: The
NO_PROXY
entry dictates that no proxy should be used for the IBM Cloud Private’s Docker private registry.<cluster_CA_domain>
is the certificate authority (CA) domain that was set in theconfig.yaml
file during installation. Change<ICPipaddress/range>
to the IP address range of your ICP nodes, for example, 192.168.1.0/24. This is to make sure that Docker doesn’t use the proxy for inter-Docker communications. -
Restart Docker using the following commands:
sudo systemctl daemon-reload sudo systemctl restart docker
-
Customize the IBM Cloud Private
config.yaml file
,set thetiller_http_proxy
andtiller_https_proxy
parameters. This will configure the Helm tiller daemon proxy settings to populate the IBM Cloud Private App Catalog.sudo vi /<installation_directory>/cluster/config.yaml # Licensed Materials - Property of IBM # @ Copyright IBM Corp. 2017 All Rights Reserved # US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. --- ## Network Settings network_type: calico ## Network in IPv4 CIDR format network_cidr: 10.1.0.0/16 ## Kubernetes Settings service_cluster_ip_range: 10.0.0.1/24 ... tiller_http_proxy: http://1.2.3.4:3128 tiller_https_proxy: http://1.2.3.4:3128 ... helm-api: helmapi: env: NO_PROXY: "{{ [cluster_external_address, cluster_internal_address, cluster_CA_domain, 'mongodb', 'platform-identity-provider', 'platform-identity-management', 'icp-management-ingress', 'iam-pap','localhost', '127.0.0.1'] | unique | join(',') }}" ...
-
Add the
iam-pap
parameter to theNO_PROXY
setting of thehelm-api
item of the `config.yaml file. It should look similar to the following example:helm-api: helmapi: env: NO_PROXY: "{{ [cluster_external_address, cluster_internal_address, cluster_CA_domain, 'mongodb', 'platform-identity-provider', 'platform-identity-management', 'icp-management-ingress', 'iam-pap','localhost', '127.0.0.1'] | unique | join(',') }}"
Now, continue the IBM Cloud Private installation process normally. From the IBM Cloud Private management console, check Catalog.
-
-
Automatic installation of Docker using IBM Cloud Private
If you installed Docker on your boot node manually and you haven't installed it on your other cluster nodes, you’re deploying Docker automatically using the IBM Cloud Private installer. Follow the steps to install IBM Cloud Private behind an HTTP proxy.
-
Uncomment the following Docker environment variables in your
config.yaml
file:## Docker environment setup docker_env: - HTTP_PROXY=http://1.2.3.4:3128 - HTTPS_PROXY=http://1.2.3.4:3128 - NO_PROXY=localhost,127.0.0.1,{{ cluster_CA_domain }} ## Install/upgrade docker version
-
Customize the IBM Cloud Private
config.yaml
file, set thetiller_http_proxy
andtiller_https_proxy
parameters, as shown in the following command:sudo vi /<installation_directory>/cluster/config.yaml # Licensed Materials - Property of IBM # IBM Cloud private # @ Copyright IBM Corp. 2017 All Rights Reserved # US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. --- ## Network Settings network_type: calico ## Network in IPv4 CIDR format network_cidr: 10.1.0.0/16 ## Kubernetes Settings service_cluster_ip_range: 10.0.0.1/24 ... tiller_http_proxy: http://1.2.3.4:3128 tiller_https_proxy: http://1.2.3.4:3128 ... helm-api: helmapi: env: NO_PROXY: "{{ [cluster_external_address, cluster_internal_address, cluster_CA_domain, 'mongodb', 'platform-identity-provider', 'platform-identity-management', 'icp-management-ingress', 'iam-pap','localhost', '127.0.0.1'] | unique | join(',') }}" ...
Now, continue the IBM Cloud Private installation process normally. From the IBM Cloud Private management console, check Catalog.
-
Note: For the node that has an environment proxy, export the relevant hostname and IP address. Run the following command to export the information:
export NO_PROXY=localhost,127.0.0.1,<cluster_CA_domain>.icp,<ICP ip address/range>
Post-installation proxy configuration
Post-installation, you can edit proxy settings of IBM Cloud Private with the following steps:
- From the IBM Cloud Private management console, go to Workloads > Deployments.
- In Deployments search for helm-api.
- Click Edit.
-
Look for the following lines:
{ "name": "HTTP_PROXY" }, { "name": "HTTPS_PROXY" }, { "name": "NO_PROXY", "value": "<ICP cluster IP>,mycluster.icp,mongodb,platform-identity-provider,localhost,127.0.0.1" },
-
Edit the HTTP_PROXY and HTTPS_PROXY as appropriate.
{ "name": "HTTP_PROXY", "value": "http://1.2.3.4:3128" }, { "name": "HTTPS_PROXY", "value": "http://1.2.3.4:3128" }, { "name": "NO_PROXY", "value": "<ICP cluster IP>,mycluster.icp,mongodb,platform-identity-provider,icp-management-ingress,iam-pap,localhost,127.0.0.1" },
Note: Depending on your environment, the NO_PROXY values may vary. For example, they may include Kubernetes Ingresses and Services resources. It is important that NO_PROXY is fully configured to avoid IBM Cloud Private communicating over the proxy.
-
Click Submit.
-
Go to Catalog to check that the Helm charts are shown.