Add a CA certificate for a MITM proxy

Available since 2.18.0 TechPreview

When you enable a man-in-the-middle (MITM) proxy access to a managed cluster, your proxy requires a trusted CA certificate. This section describes how to manually add the caCertificate field to the spec section of the Proxy object.

To add a CA certificate for a MITM proxy:

1. Encode you proxy CA certificate. For example:

   cat ~/.mitmproxy/mitmproxy-ca-cert.cer | base64 -w0
   

   Replace ~/.mitmproxy/mitmproxy-ca-cert.cer with the path to your CA certificate file.

2. Open the existing Proxy object for editing:

   kubectl --kubeconfig <pathToManagementClusterKubeconfig> -n <projectName> edit proxy <proxyName>
   

   In the system response, find the spec section with the current proxy configuration. For example:

   spec:
     httpProxy: http://172.19.123.57:8080
     httpsProxy: http://172.19.123.57:8080
   

3. In the spec section, add the spec.caCertificate field with the base64-encoded proxy CA certificate data. For example:

   spec:
     caCertificate: <BASE64_ENCODED_CA_CERTIFICATE>
     httpProxy: http://172.19.123.57:8080
     httpsProxy: http://172.19.123.57:8080
   

4. Save the Proxy object and proceed with the managed cluster creation.