-
Notifications
You must be signed in to change notification settings - Fork 68
/
_global-proxy.html.md.erb
106 lines (106 loc) · 6 KB
/
_global-proxy.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<br>
<img src="images/networking-https-proxy.png" alt="Networking pane configuration" width="325">
<br>
1. (Optional) Configure Tanzu Kubernetes Grid Integrated Edition to use a proxy.
<br>
<br>
Production environments can deny direct access to public Internet services and between internal services by placing an HTTP or HTTPS proxy in the network path between Kubernetes nodes and those services.
<br>
Configure Tanzu Kubernetes Grid Integrated Edition to use your proxy and activate the following:
* TKGI API access to public Internet services and other internal services.
* Tanzu Kubernetes Grid Integrated Edition-deployed Kubernetes nodes access to public Internet services and other internal services.
* Tanzu Kubernetes Grid Integrated Edition Telemetry ability to forward Telemetry data to the CEIP and Telemetry program.
<p class="note"><strong>Note</strong>: This setting does not set the proxy for running Kubernetes workloads or pods.
</p>
1. To complete your global proxy configuration for all outgoing HTTP/HTTPS traffic from your Kubernetes clusters, perform the following steps:
1. To proxy outgoing HTTP traffic, enter the URL of your HTTP proxy endpoint under **HTTP Proxy URL**.
For example, `http\://myproxy.com:1234`.
1. (Optional) If your outgoing HTTP proxy uses basic authentication,
enter the user name and password in the **HTTP Proxy Credentials** fields.
1. To proxy outgoing HTTPS traffic, enter the URL of your HTTP proxy endpoint under **HTTPS Proxy URL**.
For example, `http\://myproxy.com:1234`.
<p class="note"><strong>Note</strong>: Using an HTTPS connection to the proxy server is not supported.
HTTP and HTTPS proxy options can only be configured with an HTTP connection to the proxy server.
You cannot populate either of the proxy URL fields with an HTTPS URL. The proxy host and port can be different for HTTP and HTTPS traffic,
but the proxy protocol must be HTTP.
</p>
1. (Optional) If your HTTPS proxy uses basic authentication,
enter the user name and password in the **HTTPS Proxy Credentials** fields.
1. Under **No Proxy**, enter the comma-separated list of IP addresses that must bypass the proxy to
allow for internal Tanzu Kubernetes Grid Integrated Edition communication.
<br>
Include `127.0.0.1` and `localhost` in the **No Proxy** list.
<br>
Also include the following in the **No Proxy** list:
* Your Tanzu Kubernetes Grid Integrated Edition environment's CIDRs, such as
the service network CIDR where your Tanzu Kubernetes Grid Integrated Edition cluster is deployed,
the deployment network CIDR, the node network IP block CIDR, and the pod network IP block CIDR.
<br>
* The FQDN of any registry, such as the Harbor API FQDN, or component communicating with Tanzu Kubernetes Grid Integrated Edition, using a hostname
instead of an IP address.
<br>
<% if current_page.data.topic=="proxies-nsx-t" || current_page.data.iaas == "vSphere" %>
* The IP addresses for your NSX Manager, vCenter Server, and all ESXi hosts,
if you are upgrading and have an existing proxy configuration for reaching a Docker registry or
other external services.
<br>
* Any additional IP addresses or domain names that must bypass the proxy.
<br>
The **No Proxy** property for vSphere accepts wildcard domains denoted by a prefixed `\*.` or `.`.
<br><br>
For example:
```console
127.0.0.1,localhost,
*.example1.com,
.example2.com,
example3.com,
198.51.100.0/24,
203.0.113.0/24,
192.0.2.0/24
```
<% else %>
* Any additional IP addresses or domain names that must bypass the proxy.
<br>The **No Proxy** property for AWS accepts wildcard domains denoted by a prefixed `\*.` or `.`.
<br><br>
For example:
```console
127.0.0.1,localhost,
*.example1.com,
.example2.com,
example3.com,
198.51.100.0/24,
203.0.113.0/24,
192.0.2.0/24
```
<% end %>
<% if current_page.data.topic=="proxies-aws" %>
<p class="note"><strong>Note</strong>: By default the
<code>169.254.169.254</code>, <code>10.100.0.0/8</code> and <code>10.200.0.0/8</code>
IP address ranges,
<code>.internal</code>, <code>.svc</code>,<code>.svc.cluster.local</code>, <code>.svc.cluster</code>,
and your Tanzu Kubernetes Grid Integrated Edition FQDN are not proxied. This allows internal Tanzu Kubernetes Grid Integrated Edition communication.
<br><br>
Do not use the <code>_</code> character in the <strong>No Proxy</strong> field. Entering an
underscore character in this field can cause upgrades to fail.
<br><br>
Because some jobs in the VMs accept `\*.` as a wildcard, while others only accept `.`,
we recommend that you define a wildcard domain using both of them.
For example, to denote `example.com` as a wildcard domain, add both `\*.example.com` and `example.com`
to the **No Proxy** property.
</p>
<% else %>
<p class="note"><strong>Note</strong>: By default the
<code>10.100.0.0/8</code> and <code>10.200.0.0/8</code>
IP address ranges,
<code>.internal</code>, <code>.svc</code>,<code>.svc.cluster.local</code>, <code>.svc.cluster</code>,
and your Tanzu Kubernetes Grid Integrated Edition FQDN are not proxied. This allows internal Tanzu Kubernetes Grid Integrated Edition communication.
<br><br>
Do not use the <code>_</code> character in the <strong>No Proxy</strong> field. Entering an
underscore character in this field can cause upgrades to fail.
<br><br>
Because some jobs in the VMs accept `\*.` as a wildcard, while others only accept `.`,
we recommend that you define a wildcard domain using both of them.
For example, to denote `example.com` as a wildcard domain, add both `\*.example.com` and `example.com`
to the **No Proxy** property.
</p>
<% end %>