Configuring proxy support in Operator Lifecycle Manager

If a global proxy is configured on the OKD cluster, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. However, you can also configure installed Operators to override the global proxy or inject a custom CA certificate.

Additional resources

Overriding proxy settings of an Operator

If a cluster-wide egress proxy is configured, Operators running with Operator Lifecycle Manager (OLM) inherit the cluster-wide proxy settings on their deployments. Cluster administrators can also override these proxy settings by configuring the subscription of an Operator.

Operators must handle setting environment variables for proxy settings in the pods for any managed Operands.

Prerequisites

  • Access to an OKD cluster using an account with cluster-admin permissions.

Procedure

  1. Navigate in the web console to the Operators → OperatorHub page.

  2. Select the Operator and click Install.

  3. On the Install Operator page, modify the Subscription object to include one or more of the following environment variables in the spec section:

    • HTTP_PROXY

    • HTTPS_PROXY

    • NO_PROXY

    For example:

    Subscription object with proxy setting overrides

    1. apiVersion: operators.coreos.com/v1alpha1
    2. kind: Subscription
    3. metadata:
    4. name: etcd-config-test
    5. namespace: openshift-operators
    6. spec:
    7. config:
    8. env:
    9. - name: HTTP_PROXY
    10. value: test_http
    11. - name: HTTPS_PROXY
    12. value: test_https
    13. - name: NO_PROXY
    14. value: test
    15. channel: clusterwide-alpha
    16. installPlanApproval: Automatic
    17. name: etcd
    18. source: community-operators
    19. sourceNamespace: openshift-marketplace
    20. startingCSV: etcdoperator.v0.9.4-clusterwide

    These environment variables can also be unset using an empty value to remove any previously set cluster-wide or custom proxy settings.

    OLM handles these environment variables as a unit; if at least one of them is set, all three are considered overridden and the cluster-wide defaults are not used for the deployments of the subscribed Operator.

  4. Click Install to make the Operator available to the selected namespaces.

  5. After the CSV for the Operator appears in the relevant namespace, you can verify that custom proxy environment variables are set in the deployment. For example, using the CLI:

    1. $ oc get deployment -n openshift-operators \
    2. etcd-operator -o yaml \
    3. | grep -i "PROXY" -A 2

    Example output

    1. - name: HTTP_PROXY
    2. value: test_http
    3. - name: HTTPS_PROXY
    4. value: test_https
    5. - name: NO_PROXY
    6. value: test
    7. image: quay.io/coreos/etcd-operator@sha256:66a37fd61a06a43969854ee6d3e21088a98b93838e284a6086b13917f96b0d9c
    8. ...

Injecting a custom CA certificate

When a cluster administrator adds a custom CA certificate to a cluster using a config map, the Cluster Network Operator merges the user-provided certificates and system CA certificates into a single bundle. You can inject this merged bundle into your Operator running on Operator Lifecycle Manager (OLM), which is useful if you have a man-in-the-middle HTTPS proxy.

Prerequisites

  • Access to an OKD cluster using an account with cluster-admin permissions.

  • Custom CA certificate added to the cluster using a config map.

  • Desired Operator installed and running on OLM.

Procedure

  1. Create an empty config map in the namespace where the subscription for your Operator exists and include the following label:

    1. apiVersion: v1
    2. kind: ConfigMap
    3. metadata:
    4. name: trusted-ca (1)
    5. labels:
    6. config.openshift.io/inject-trusted-cabundle: "true" (2)
    1Name of the config map.
    2Requests the Cluster Network Operator to inject the merged bundle.

    After creating this config map, it is immediately populated with the certificate contents of the merged bundle.

  2. Update the Subscription object to include a spec.config section that mounts the trusted-ca config map as a volume to each container within a pod that requires a custom CA:

    1. apiVersion: operators.coreos.com/v1alpha1
    2. kind: Subscription
    3. metadata:
    4. name: my-operator
    5. spec:
    6. package: etcd
    7. channel: alpha
    8. config: (1)
    9. selector:
    10. matchLabels:
    11. <labels_for_pods> (2)
    12. volumes: (3)
    13. - name: trusted-ca
    14. configMap:
    15. name: trusted-ca
    16. items:
    17. - key: ca-bundle.crt (4)
    18. path: tls-ca-bundle.pem (5)
    19. volumeMounts: (6)
    20. - name: trusted-ca
    21. mountPath: /etc/pki/ca-trust/extracted/pem
    22. readOnly: true
    1Add a config section if it does not exist.
    2Specify labels to match pods that are owned by the Operator.
    3Create a trusted-ca volume.
    4ca-bundle.crt is required as the config map key.
    5tls-ca-bundle.pem is required as the config map path.
    6Create a trusted-ca volume mount.

    Deployments of an Operator can fail to validate the authority and display a x509 certificate signed by unknown authority error. This error can occur even after injecting a custom CA when using the subscription of an Operator. In this case, you can set the mountPath as /etc/ssl/certs for trusted-ca by using the subscription of an Operator.