Catalog availability with Rancher 2.0 HA behind HTTP proxy

Hello

The official documention describes setting up a single node
Rancher container behind a HTTP proxy, but not an HA
configuration.

I have a three-node HA cluster setup on-prem, but can’t access
any of the library or helm catalogs from our private network
without the proxy settings.

Is this a supported architecture, and if so, where would the
HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables
need to be defined?

Thanks!

If you set it up with rke, like I did, you set it up in the cluster.yml configuration like this:

# Necessary for password protected SSH Keys:
ssh_agent_auth: true

# Nodes Definitions
nodes:
  - address: 10.0.0.2  # hostname or IP to access nodes
    user: docker # root user (usually 'root')
    role: [controlplane,etcd,worker] # K8s roles for node
    ssh_key_path: ~/.ssh/id_rsa # path to PEM file
...

services:
  kube-apiserver:
    extra_args:
      feature-gates: "PersistentLocalVolumes=true,VolumeScheduling=true"
  kubelet:
    extra_args:
      feature-gates: "PersistentLocalVolumes=true,VolumeScheduling=true"
    extra_env:
      - "HTTP_PROXY=http://your_proxy"
      - "HTTPS_PROXY=http://your_proxy"
      - "NO_PROXY=127.0.0.1,localhost"

# Default versions
system_images:
    kubernetes: rancher/hyperkube:v1.10.5-rancher1
...

Then recreate your cluster with rke up, as adding these values doesn’t work yet. I filed a bug report in:

So far, I have setup these variables on my CentOS VM, in systemd Environment config for dockerd, and for kubelet, so it shoud theoratically work, but it still does not work as intended in my network.

Did anyone else find a working solution for that?

Cheers,
Damian

Ok, we have solved that issue by providing the HTTP Proxy addresses additionally in cluster.yml’s Deployment section of the rancher/rancher Pods.

There, additional environments vars need to be added, like

 kind: Deployment
  apiVersion: extensions/v1beta1
  metadata:
    namespace: cattle-system
    name: cattle
  spec:
    replicas: 1
    template:
      metadata:
        labels:
          app: cattle
      spec:
        serviceAccountName: cattle-admin
        containers:
        - image: rancher/rancher:latest
          imagePullPolicy: Always
          name: cattle-server
          ports:
          - containerPort: 80
            protocol: TCP
          - containerPort: 443
            protocol: TCP
          volumeMounts:
          - mountPath: /etc/rancher/ssl
            name: cattle-keys-volume
            readOnly: true
          env:
            - name: http_proxy
              value: "http://10.1.2.3:3128"
            - name: https_proxy
              value: "http://10.1.2.3:3128"
            - name: HTTP_PROXY
              value: "http://10.1.2.3:3128"
            - name: HTTPS_PROXY
              value: "http://10.1.2.3:3128"
            - name: NO_PROXY
              value: "localhost,127.0.0.1,10.0.0.0/8"
            - name: no_proxy
              value: "localhost,127.0.0.1,10.0.0.0/8"

Hope, this helps others to setup Rancher with Catalog behind a http proxy.

Cheers,
Damian

1 Like