Dustin Specker e9696dca0a feat: support setting up Vagrant behind corporate proxy with TLS

This is a squashed commit, keeping previous messages intact for history.

- chore(tools/gate/jarvis): remove unused http_proxy

- fix(tools/gate/deploy-k8s): pre-pull Calico images

By pre-pulling Calico images, we can better ensure the timeout for
`kubectl wait` for `k8s-app=kube-dns` is sufficient, since most of the
time spent is on pulling images.

- fix(tools/gate/jarvis): skip loki Helm test when proxy is set

The Loki test attempts to install `curl` and `jq`, which will fail when
a proxy is required since the pod doesn't setup proxy environment
variables.

- feat(tools/deployment/vagrant): support providing a cert for proxy

- feat(ubuntu-base/standard-container): support internal-certs

The Vagrant file mounts an additional synced folder to
/airship_charts/tools/gate/jarvis/ubuntu-base/internal-certs.

This internal-certs dir has been added to this Git repository using a
placeholder `.gitkeep` file to keep the directory non-empty. This
directory has also been added to .gitignore to prevent any changes such
as the mounted internal certs from being committed.

The ubuntu-base image sets the proxy env vars as well as contains the
internal certs. The standard container is then based on the ubuntu-base
image.

The ubuntu-base image is published as library/ubuntu:focal in harbor.

- fix(tools/gate/jarvis): support Harbor behind proxy with cert

Change-Id: I602dfa3b04b798a1a2096242ffb6dfe7f2ba92e4

2021-03-08 08:56:29 -06:00

2.5 KiB

Raw Blame History

Running Jarvis Behind Corporate Proxy

Environment Variables

On the host machine, ensure the following environment variables are set with the appropriate proxy information: HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. You will also need to set the environment variable PRIVATE_NS to an IP address of a corporate name server that will resolve internal URLs. PRIVATE_NS can support multiple corporate name servers by creating a space separated list, such as PRIVATE_NS="172.18.0.17 172.19.0.17".

Certificate Authority for Corporate Proxy

If the proxy requires a certificate to trust then:

Run mkdir ~/internal-certs/
Download the required *.crt file
Move the *.crt file into ~/internal-certs/
Define an environment variable named INTERNAL_CERTS_DIR with the value of ~/internal-certs/

The Vagrantfile will handle using the internal certificates during the vagrant up process.

Vagrant Plugin

To easily set up the Vagrant box's proxy setting, install the vagrant_proxyconf plugin by running:

$ vagrant plugin install vagrant-proxyconf

`NO_PROXY` Configuration

In the event NO_PROXY is not specified, the following default value will be used:

localhost,127.0.0.1,10.96.0.0/12,192.168.49.0/24,192.168.99.0/24,10.0.2.15,10.244.0.0/16,172.28.0.0/30,.minikube.internal,.svc,.svc.cluster.local,jarvis.local

Please note the following will need to be accounted for to avoid traffic being routed through the proxy:

Localhost: localhost and 127.0.0.1,
Host and guest machine IP and name: jarvis, jarvis.local, etc.,
Minikube specific IP ranges (e.g. 102.168.49.0/24). See minikube's documentation for detail,
Minikube places host.minikube.internal and control-plane.minikube.internal into /etc/hosts,
Kubernetes services' URLs with ending of .svc, .cluster.local or .svc.cluster.local,
Kubernetes service cluster IP ranges: 10.96.0.0/12 or what's configured via --service-cluster-ip-range.
DNSMasq subnet range: 172.28.0.0/30

Installation

With the appropriate environment variables set, follow instruction here <aio-installation>.

2.5 KiB Raw Blame History