Proxy and cache support¶
If you require all Internet access to go through a proxy server for security and audit purposes, you can bootstrap management and regional clusters using proxy. The proxy server settings consist of three standard environment variables that are set prior to the bootstrap process:
These settings are not propagated to managed clusters. However, you can enable a separate proxy access on a managed cluster using the Container Cloud web UI. This proxy is intended for the end user needs and is not used for a managed cluster deployment or for access to the Mirantis resources.
Since Container Cloud uses the OpenID Connect (OIDC) protocol for IAM authentication, management clusters require a direct non-proxy access from regional and managed clusters.
StackLight components, which require external access, automatically use the same proxy that is configured for Container Cloud clusters.
On the managed clusters with limited Internet access, a proxy is required for StackLight components that use HTTP and HTTPS and are disabled by default but need external access if enabled, for example, for the Salesforce integration and Alertmanager notifications external rules. For more details about proxy implementation in StackLight, see StackLight proxy.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Hardware and system requirements.
After enabling proxy support on regional and managed clusters, proxy is used for:
Docker and CDN traffic on regional clusters
Docker traffic on managed clusters
OpenStack on MOSK-based clusters
The Container Cloud managed clusters are deployed without direct Internet access in order to consume less Internet traffic in your cloud. The Mirantis artifacts used during managed clusters deployment are downloaded through a cache running on a regional cluster. The feature is enabled by default on new managed clusters and will be automatically enabled on existing clusters during upgrade to the latest version.
IAM operations require a direct non-proxy access of a managed cluster to a management cluster.