Add or update a CA certificate for a MITM proxy¶
Available since 2.18.0 as TechPreview Available since 2.20.0 as GA for non-MOSK clusters
Since Container Cloud 2.20.0, the feature is generally available for the AWS, vSphere, Equinix Metal with private networking, OpenStack, and non-MOSK-based bare metal providers through the Proxies tab of the Container Cloud web UI. For details, refer to the cluster creation procedure for the required cloud provider as described in Create and operate managed clusters.
For MOSK-based deployments, the feature support will become available in one of the following Container Cloud releases.
Since Container Cloud 2.18.0, the feature is available as Technology Preview for the OpenStack and non-MOSK-based bare metal deployments only. Use the manual instruction below to encode and add a CA certificate for a MITM proxy.
For Azure and Equinix Metal with public networking deployments, the feature is not supported.
When you enable a man-in-the-middle (MITM) proxy access to a managed cluster,
your proxy requires a trusted CA certificate. This section describes how to
manually add the
caCertificate field to the
Proxy object. You can also use this instruction to update an
expired certificate on an existing cluster.
To add or update a CA certificate for a MITM proxy:
Encode you proxy CA certificate. For example:
cat ~/.mitmproxy/mitmproxy-ca-cert.cer | base64 -w0
~/.mitmproxy/mitmproxy-ca-cert.cerwith the path to your CA certificate file.
Open the existing
Proxyobject for editing:
kubectl --kubeconfig <pathToManagementClusterKubeconfig> -n <projectName> edit proxy <proxyName>
In the system response, find the
specsection with the current proxy configuration. For example:
spec: httpProxy: http://172.19.123.57:8080 httpsProxy: http://172.19.123.57:8080
specsection, add or update the
spec.caCertificatefield with the base64-encoded proxy CA certificate data. For example:
spec: caCertificate: <BASE64_ENCODED_CA_CERTIFICATE> httpProxy: http://172.19.123.57:8080 httpsProxy: http://172.19.123.57:8080
Proxyobject and proceed with the managed cluster creation. If you update an expired certificate on an existing managed cluster, wait until the machines switch from the
Readystate to apply changes.