Add or update a CA certificate for a MITM proxy using API¶
Note
For managed clusters, this feature is available since MOSK 23.1.
When you enable a man-in-the-middle (MITM) proxy access to a managed cluster,
your proxy requires a trusted CA certificate. This section describes how to
manually add the caCertificate
field to the spec
section
of the Proxy
object. You can also use this instruction to update an
expired certificate on an existing cluster.
You can also add a CA certificate for a MITM proxy using the Container Cloud web UI through the Proxies tab. For details, refer to the cluster creation procedure as described in Create a managed bare metal cluster.
Warning
Any modification to the Proxy
object, for example, changing
the proxy URL, NO_PROXY
values, or certificate, leads to cordon-drain
and Docker restart on the cluster machines.
To add or update a CA certificate for a MITM proxy using API:
Encode your proxy CA certificate. For example:
cat ~/.mitmproxy/mitmproxy-ca-cert.cer | base64 -w0
Replace
~/.mitmproxy/mitmproxy-ca-cert.cer
with the path to your CA certificate file.Open the existing
Proxy
object for editing:kubectl --kubeconfig <pathToManagementClusterKubeconfig> -n <projectName> edit proxy <proxyName>
In the system response, find the
spec
section with the current proxy configuration. For example:spec: httpProxy: http://172.19.123.57:8080 httpsProxy: http://172.19.123.57:8080
In the
spec
section, add or update thespec.caCertificate
field with the base64-encoded proxy CA certificate data. For example:spec: caCertificate: <BASE64_ENCODED_CA_CERTIFICATE> httpProxy: http://172.19.123.57:8080 httpsProxy: http://172.19.123.57:8080
Save the
Proxy
object and proceed with the managed cluster creation.If you update an expired certificate on an existing managed cluster, wait until the machines switch from the
Reconfigure
toReady
state to apply changes.