Using a proxy server for outbound traffic

Use a forward proxy to communicate with your external identity provider.

Forward proxy servers isolate the network and provide a control point for outbound requests. The egress traffic is routed through the proxy server, and the proxy server sends it to the destination, which can be an external service outside the firewall. The proxy server also performs the same actions for any response that comes back from the destination. You can configure authentication requirement for the proxy server.

You can use a proxy server only if you are using OpenID Connect (OIDC) to connect your IBM Cloud Pak® with your identity provider (IdP).

Configuring the proxy server

Configure your proxy server to manage traffic for specific namespaces.

The identity management (IM) service uses the following parameters from the proxy configuration to add the proxy settings to IM applications:

IBM Cloud Pak requirements

Your IBM Cloud Pak must meet the following requirements:

After you complete the requirements, you can inject the proxy configuration parameters into the IM application through RSI configuration.

  1. Create a file named cpfs-im-proxy-envs.json in the RSI configuration directory, which is usually located under the cpd-cli as cpd-cli-workspace/olm-utils-workspace/work/rsi. The cpfs-im-proxy-envs.json file must contain the following lines. Replace the parameter values as applicable to your environment. Authentication credentials are optional.

     [ {
         "name":  "_userdefined_http_proxy",  
         "value": "http://<username>:<password>@<ip>:<port>"
     }, {
         "name":  "_userdefined_https_proxy",
         "value": "http://<username>:<password>@<ip>:<port>"
     } ]
    
  2. Run the following RSI patch for IM applications. Replace $cs-data-ns with your foundational services data plane namespace.

     ./cpd-cli manage create-rsi-patch     --cpd_instance_ns=$cs-data-ns     --patch_name="cpfs-im-authsvc-proxy"     --description="add proxy settings to im authsvc"     --patch_type=rsi_pod_env_var     --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json     --spec_format=set-env     --selector=app.kubernetes.io/instance:platform-auth-service --skip_apply=false --state=active
    
     ./cpd-cli manage create-rsi-patch     --cpd_instance_ns=$cs-data-ns     --patch_name="cpfs-im-providersvc-proxy"     --description="add proxy settings to im providersvc"     --patch_type=rsi_pod_env_var     --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json     --spec_format=set-env  --selector=app.kubernetes.io/instance:platform-identity-provider --skip_apply=false --state=active
    
  3. Check the new platform-auth-service and platform-identity-provider pods to make sure that the proxy values are set as applicable to your environment. If you don’t find your environment values despite successfully running the cpd-cli command, restart the platform-auth-service and platform-identity-provider pods and reverify whether the values are set.

  4. Configure the public OIDC IdP and log in as you usually do.

Rolling back the RSI proxy configuration from IM applications

To roll back the proxy configuration, first make sure that the RSI injection was successfully completed.

Then, run these commands to deactivate the patch and remove it. Replace $cs-data-ns with your foundational services data plane namespace.

./cpd-cli manage create-rsi-patch     --cpd_instance_ns=$cs-data-ns     --patch_name="cpfs-im-authsvc-proxy"     --description="add proxy settings to im authsvc"     --patch_type=rsi_pod_env_var     --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json     --spec_format=set-env     --selector=app.kubernetes.io/instance:platform-auth-service --skip_apply=false --state=inactive
./cpd-cli manage delete-rsi-patch \
    --cpd_instance_ns=$cs-data-ns \
    --patch_name="cpfs-im-authsvc-proxy"
./cpd-cli manage create-rsi-patch     --cpd_instance_ns=$cs-data-ns     --patch_name="cpfs-im-providersvc-proxy"     --description="add proxy settings to im providersvc"     --patch_type=rsi_pod_env_var     --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json     --spec_format=set-env  --selector=app.kubernetes.io/instance:platform-identity-provider --skip_apply=false --state=inactive
./cpd-cli manage delete-rsi-patch \
    --cpd_instance_ns=$cs-data-ns \
    --patch_name="cpfs-im-providersvc-proxy"