Proxy support and cache of artifacts

Proxy support

If you require all Internet access to go through a proxy server for security and audit purposes, you can bootstrap management clusters using proxy. The proxy server settings consist of three standard environment variables that are set prior to the bootstrap process:

  • HTTP_PROXY

  • HTTPS_PROXY

  • NO_PROXY

These settings are not propagated to MOSK clusters. However, you can enable a separate proxy access on a MOSK cluster using the MOSK management console. This proxy is intended for the end user needs and is not used for a MOSK cluster deployment or for access to the Mirantis resources.

Caution

Since MOSK uses the OpenID Connect (OIDC) protocol for IAM authentication, management clusters require a direct non-proxy access from MOSK clusters.

StackLight components, which require external access, automatically use the same proxy that is configured for MOSK clusters.

On MOSK clusters with limited Internet access, a proxy is required for StackLight components that use HTTP and HTTPS and are disabled by default but need external access if enabled, for example, for the Salesforce integration and external rules of Alertmanager notifications. For more details about proxy implementation in StackLight, see StackLight proxy.

For the list of Mirantis resources and IP addresses to be accessible from MOSK clusters, see System requirements for the seed node.

After enabling proxy support on MOSK clusters, proxy is used for:

  • Docker traffic on MOSK clusters

  • StackLight

  • OpenStack

Warning

Any modification to the Proxy object used in any cluster, for example, changing the proxy URL, NO_PROXY values, or certificate, leads to cordon-drain and Docker restart on the cluster machines.

Artifacts caching

MOSK clusters are deployed without direct Internet access to consume less Internet traffic in your cluster. The Mirantis artifacts used during MOSK clusters deployment are downloaded through a cache running on a management cluster. The feature is enabled by default.

Caution

IAM operations require a direct non-proxy access of a MOSK cluster to a management cluster.