This can be used to add a proxy and/or a CA cert to guest clusters automatically. This will run as a native pod in the supervsior cluster and continously ssh out to the guest cluster nodes and make sure they have the proxy and cert configured. This will run on a per namespace basis due to some limitiations with the default firewall rules applied between namespaces with NSX-T. This also leverages the docker-registry
running in the supervisor cluster to store the proxy-inject
docker image to reduce external dependencies on internal regsitries existing.
- ssh to vcenter and hop into shell
- copy this repo over to your vcenter
- grab the
proxy-inject.tar.gz
from the releases and upload it to your vcenter VM. you can do this scp or if you have internet connection out from vcenter just pull it down to the vm. copy it into the newly created repo directory - open
env.sh
and fill in the variables- if you do not want to have a proxy installed and just want to add a cert you can remove the proxy specific vars and it will skip the proxy.
- if you do not want a cert to be added you can leave out the
REG_CERT
variable and it will be skipped.
- execute
install.sh
- ssh to vcenter and hop into shell
- copy your
env.sh
out of the root repo folder - pull down the latest release of the code base to replace the existing one
- pull down the latest release of
proxy-inject.tar.gz
to replace the existing one - copy your
env.sh
back into the root of the repo replacing the default one - update any new env vars
- execute
install.sh
all vars are set in env.sh
SV_IPS
- comma separated list of supervsior management IPsDEPLOY_NS
- namespace that the proxy pod will be deployed intoTKC_HTTPS_PROXY
- valid http proxy that you want to useTKC_HTTP_PROXY
- valid https proxy that you want to useTKC_NO_PROXY
- no proxy listREG_CERT
- the registry ca cert to trust an untrusted registryINTERVAL
- interval to run the script
if your proxy uses auth you can add the username and pass inline in the env var. ex.
TKC_HTTPS_PROXY='http://someuser:[email protected]'
if your proxy password has a $
be sure to escape it. you will need to use \\
since it needs to be escaped for the k8s manifest as well as for the environment.
ex.
pa\\$sword
NOTE: NOT TESTED FOR PRODUCTION USE