Add a CA certificate for a MITM proxy

Available since 2.18.0 TechPreview

When you enable a man-in-the-middle (MITM) proxy access to a managed cluster, your proxy requires a trusted CA certificate. This section describes how to manually add the caCertificate field to the spec section of the Proxy object.

To add a CA certificate for a MITM proxy:

  1. Encode you proxy CA certificate. For example:

    cat ~/.mitmproxy/mitmproxy-ca-cert.cer | base64 -w0
    

    Replace ~/.mitmproxy/mitmproxy-ca-cert.cer with the path to your CA certificate file.

  2. Open the existing Proxy object for editing:

    kubectl --kubeconfig <pathToManagementClusterKubeconfig> -n <projectName> edit proxy <proxyName>
    

    In the system response, find the spec section with the current proxy configuration. For example:

    spec:
      httpProxy: http://172.19.123.57:8080
      httpsProxy: http://172.19.123.57:8080
    
  3. In the spec section, add the spec.caCertificate field with the base64-encoded proxy CA certificate data. For example:

    spec:
      caCertificate: <BASE64_ENCODED_CA_CERTIFICATE>
      httpProxy: http://172.19.123.57:8080
      httpsProxy: http://172.19.123.57:8080
    
  4. Save the Proxy object and proceed with the managed cluster creation.