Using a proxy server for outbound traffic
Use a forward proxy to communicate with your external identity provider.
Forward proxy servers isolate the network and provide a control point for outbound requests. The egress traffic is routed through the proxy server, and the proxy server sends it to the destination, which can be an external service outside the firewall. The proxy server also performs the same actions for any response that comes back from the destination. You can configure authentication requirement for the proxy server.
You can use a proxy server only if you are using OpenID Connect (OIDC) to connect your IBM Cloud Pak® with your identity provider (IdP).
Configuring the proxy server
Configure your proxy server to manage traffic for specific namespaces.
The identity management (IM) service uses the following parameters from the proxy configuration to add the proxy settings to IM applications:
_userdefined_http_proxy
: A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be HTTP._userdefined_https_proxy
: A proxy URL to use for creating HTTPS connections outside the cluster. The URL scheme must be either HTTP or HTTPS.
IBM Cloud Pak requirements
Your IBM Cloud Pak must meet the following requirements:
- IBM Cloud Pak foundational services 4.2 or higher must be installed.
- Your IBM Cloud Pak and the Zen service must be installed.
- The IBM Cloud Pak for Data command-line interface (
cpd-cli
) and resource specification injection (RSI) must be configured. For more information, see Customizing pod specifications with resource specification injection. - You must install and enable RSI for the namespace where foundational services are installed.
After you complete the requirements, you can inject the proxy configuration parameters into the IM application through RSI configuration.
-
Create a file named
cpfs-im-proxy-envs.json
in the RSI configuration directory, which is usually located under thecpd-cli
ascpd-cli-workspace/olm-utils-workspace/work/rsi
. Thecpfs-im-proxy-envs.json
file must contain the following lines. Replace the parameter values as applicable to your environment. Authentication credentials are optional.[ { "name": "_userdefined_http_proxy", "value": "http://<username>:<password>@<ip>:<port>" }, { "name": "_userdefined_https_proxy", "value": "http://<username>:<password>@<ip>:<port>" } ]
-
Run the following RSI patch for IM applications. Replace
$cs-data-ns
with your foundational services data plane namespace../cpd-cli manage create-rsi-patch --cpd_instance_ns=$cs-data-ns --patch_name="cpfs-im-authsvc-proxy" --description="add proxy settings to im authsvc" --patch_type=rsi_pod_env_var --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json --spec_format=set-env --selector=app.kubernetes.io/instance:platform-auth-service --skip_apply=false --state=active
./cpd-cli manage create-rsi-patch --cpd_instance_ns=$cs-data-ns --patch_name="cpfs-im-providersvc-proxy" --description="add proxy settings to im providersvc" --patch_type=rsi_pod_env_var --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json --spec_format=set-env --selector=app.kubernetes.io/instance:platform-identity-provider --skip_apply=false --state=active
-
Check the new
platform-auth-service
andplatform-identity-provider
pods to make sure that the proxy values are set as applicable to your environment. If you don’t find your environment values despite successfully running thecpd-cli
command, restart theplatform-auth-service
andplatform-identity-provider
pods and reverify whether the values are set. -
Configure the public OIDC IdP and log in as you usually do.
Rolling back the RSI proxy configuration from IM applications
To roll back the proxy configuration, first make sure that the RSI injection was successfully completed.
Then, run these commands to deactivate the patch and remove it. Replace $cs-data-ns
with your foundational services data plane namespace.
./cpd-cli manage create-rsi-patch --cpd_instance_ns=$cs-data-ns --patch_name="cpfs-im-authsvc-proxy" --description="add proxy settings to im authsvc" --patch_type=rsi_pod_env_var --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json --spec_format=set-env --selector=app.kubernetes.io/instance:platform-auth-service --skip_apply=false --state=inactive
./cpd-cli manage delete-rsi-patch \
--cpd_instance_ns=$cs-data-ns \
--patch_name="cpfs-im-authsvc-proxy"
./cpd-cli manage create-rsi-patch --cpd_instance_ns=$cs-data-ns --patch_name="cpfs-im-providersvc-proxy" --description="add proxy settings to im providersvc" --patch_type=rsi_pod_env_var --patch_spec=/tmp/work/rsi/cpfs-im-proxy-envs.json --spec_format=set-env --selector=app.kubernetes.io/instance:platform-identity-provider --skip_apply=false --state=inactive
./cpd-cli manage delete-rsi-patch \
--cpd_instance_ns=$cs-data-ns \
--patch_name="cpfs-im-providersvc-proxy"