Use a web proxy

Mirantis Secure Registry (MSR) makes outgoing connections to check for new versions, automatically renew its license, and update its vulnerability database. If MSR cannot access the Internet, you must manually apply any updates.

One way to keep your environment secure while still allowing MSR access to the Internet is to deploy a web proxy. If you have an HTTP or HTTPS proxy, you can configure MSR to use it.

Configure web proxy usage on Kubernetes

You can configure web proxy usage on Kubernetes using either the MSR Operator or a Helm chart.

  1. In the custom resource manifest, insert the following values to add the HTTP_PROXY and HTTPS_PROXY environment variables to all containers in your MSR deployment:

    spec:
      extraEnv:
        HTTP_PROXY: "<domain>:<port>"
        HTTPS_PROXY: "username:password@<domain>:<port>"
    
  2. Apply the changes to the custom resource:

    kubectl apply -f cr-sample-manifest.yaml
    
  3. Verify completion of the reconciliation process for the custom resource:

    kubectl get msrs.msr.mirantis.com
    kubectl get rethinkdbs.rethinkdb.com
    
  4. Verify the MSR configuration by reviewing the Pod resources that the MSR Helm chart deploys for the environment variables:

    kubectl get deploy/msr-registry -o jsonpath='{@.spec.template.spec.containers[].env}'
    

    Example output:

    [{"name":"HTTP_PROXY","value":"example.com:444"}]%
    
  1. In values.yaml, insert the following snippet to add the HTTP_PROXY and HTTPS_PROXY environment variables to all containers in your MSR deployment:

    global:
      extraEnv:
        HTTP_PROXY: "<domain>:<port>"
        HTTPS_PROXY: "username:password@<domain>:<port>"
    
  2. Apply the newly inserted values:

    helm upgrade msr msrofficial/msr --version 1.0.0 -f values.yaml
    
  3. Verify the MSR configuration by reviewing the Pod resources that the MSR Helm chart deploys for the environment variables:

    kubectl get deploy/msr-registry -o jsonpath='{@.spec.template.spec.containers[].env}'
    

    Example output:

    [{"name":"HTTP_PROXY","value":"example.com:444"}]%
    

Configure web proxy usage on Swarm

  1. Update your MSR services to include the HTTP_PROXY and HTTPS_PROXY environment variables:

    docker service update msr_msr-api-server \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-garant \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-jobrunner \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-nginx \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-notary-server \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-notary-signer \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-registry \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-scanningstore \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-enzi-api \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    docker service update msr_msr-enzi-worker \
      --env-add HTTP_PROXY=<domain>:<port> \
      --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
    
  2. Verify that each environment variable is appropriately set:

    docker service inspect <msr-service-name> --format '{{.Spec.TaskTemplate.ContainerSpec.Env }}' | grep 'HTTP_PROXY\|HTTPS_PROXY'