Use a web proxy¶
Mirantis Secure Registry (MSR) makes outgoing connections to check for new versions, automatically renew its license, and update its vulnerability database. If MSR cannot access the Internet, you must manually apply any updates.
One way to keep your environment secure while still allowing MSR access to the Internet is to deploy a web proxy. If you have an HTTP or HTTPS proxy, you can configure MSR to use it.
Configure web proxy usage on Kubernetes¶
You can configure web proxy usage on Kubernetes using either the MSR Operator or a Helm chart.
In the custom resource manifest, insert the following values to add the
HTTP_PROXYandHTTPS_PROXYenvironment variables to all containers in your MSR deployment:spec: extraEnv: HTTP_PROXY: "<domain>:<port>" HTTPS_PROXY: "username:password@<domain>:<port>"
Apply the changes to the custom resource:
kubectl apply -f cr-sample-manifest.yaml
Verify completion of the reconciliation process for the custom resource:
kubectl get msrs.msr.mirantis.com kubectl get rethinkdbs.rethinkdb.com
Verify the MSR configuration by reviewing the Pod resources that the MSR Helm chart deploys for the environment variables:
kubectl get deploy/msr-registry -o jsonpath='{@.spec.template.spec.containers[].env}'
Example output:
[{"name":"HTTP_PROXY","value":"example.com:444"}]%
In
values.yaml, insert the following snippet to add theHTTP_PROXYandHTTPS_PROXYenvironment variables to all containers in your MSR deployment:global: extraEnv: HTTP_PROXY: "<domain>:<port>" HTTPS_PROXY: "username:password@<domain>:<port>"
Apply the newly inserted values:
helm upgrade msr msrofficial/msr --version 1.0.0 -f values.yaml
Verify the MSR configuration by reviewing the Pod resources that the MSR Helm chart deploys for the environment variables:
kubectl get deploy/msr-registry -o jsonpath='{@.spec.template.spec.containers[].env}'
Example output:
[{"name":"HTTP_PROXY","value":"example.com:444"}]%
Configure web proxy usage on Swarm¶
Update your MSR services to include the
HTTP_PROXYandHTTPS_PROXYenvironment variables:docker service update msr_msr-api-server \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-garant \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-jobrunner \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-nginx \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-notary-server \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-notary-signer \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-registry \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-scanningstore \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-enzi-api \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port> docker service update msr_msr-enzi-worker \ --env-add HTTP_PROXY=<domain>:<port> \ --env-add HTTPS_PROXY=<username>:<password>@<domain>:<port>
Verify that each environment variable is appropriately set:
docker service inspect <msr-service-name> --format '{{.Spec.TaskTemplate.ContainerSpec.Env }}' | grep 'HTTP_PROXY\|HTTPS_PROXY'