Add or update a CA certificate for a MITM proxy using API

Note

For MOSK, the feature is generally available since MOSK 23.1.

When you enable a man-in-the-middle (MITM) proxy access to a managed cluster, your proxy requires a trusted CA certificate. This section describes how to manually add the caCertificate field to the spec section of the Proxy object. You can also use this instruction to update an expired certificate on an existing cluster.

You can also add a CA certificate for a MITM proxy using the Container Cloud web UI through the Proxies tab. For details, refer to the cluster creation procedure for the required cloud provider as described in Create and operate managed clusters.

To add or update a CA certificate for a MITM proxy using API:

  1. Encode your proxy CA certificate. For example:

    cat ~/.mitmproxy/mitmproxy-ca-cert.cer | base64 -w0
    

    Replace ~/.mitmproxy/mitmproxy-ca-cert.cer with the path to your CA certificate file.

  2. Open the existing Proxy object for editing:

    Warning

    The kubectl apply command automatically saves the applied data as plain text into the kubectl.kubernetes.io/last-applied-configuration annotation of the corresponding object. This may result in revealing sensitive data in this annotation when creating or modifying the object.

    Therefore, do not use kubectl apply on this object. Use kubectl create, kubectl patch, or kubectl edit instead.

    If you used kubectl apply on this object, you can remove the kubectl.kubernetes.io/last-applied-configuration annotation from the object using kubectl edit.

    kubectl --kubeconfig <pathToManagementClusterKubeconfig> -n <projectName> edit proxy <proxyName>
    

    In the system response, find the spec section with the current proxy configuration. For example:

    spec:
      httpProxy: http://172.19.123.57:8080
      httpsProxy: http://172.19.123.57:8080
    
  3. In the spec section, add or update the spec.caCertificate field with the base64-encoded proxy CA certificate data. For example:

    spec:
      caCertificate: <BASE64_ENCODED_CA_CERTIFICATE>
      httpProxy: http://172.19.123.57:8080
      httpsProxy: http://172.19.123.57:8080
    
  4. Save the Proxy object and proceed with the managed cluster creation. If you update an expired certificate on an existing managed cluster, wait until the machines switch from the Reconfigure to Ready state to apply changes.