Configuring proxy authentication

You can configure the Kubernetes k3s environment and Edge Gateway instance to use a proxy server when your network requires a proxy to connect to sites such as quay.io and data sources. You need to know your proxy server settings, such as DNS name, IP address and account name if authentication is required.

Your proxy server must support both the HTTP and the STOMP protocols.

Configuring a connection to a proxy server for one component does not configure it for any other component. When configuring proxy settings, you need to configure the following components separately:
  • Kubernetes k3s environment.
  • Each instance of Edge Gateway.
  • Each data source that requires a connection to a proxy server.

You must use sudo to complete this task. Log in as the appadmin user and complete the following steps to configure the Kubernetes k3s environment:

  1. At the system hosting the Edge Gateway, edit the file /etc/systemd/system/k3s.service.env and set the following environment variables:
    HTTP_PROXY=<proxy>
    HTTPS_PROXY=<proxy info>
    NO_PROXY=<localhost and other IPs that do not need proxy>

    The <proxy info> format is http://<user>:<password>@<domain or IP address>:<port> where <user> and <password> are URL encoded strings.

    For example:
    HTTP_PROXY=http://proxy.corp.com:8080
    HTTPS_PROXY=http://proxy.corp.com:8080
    NO_PROXY=localhost,127.0.0.1,localaddress,corp.com,10.0.0.0/8
    The following example shows proxy authentication assuming the user name is user1 and password is p@ssword:
    HTTP_PROXY=http://user1:p%40ssword@proxy.corp.com:8080 &&
    HTTPS_PROXY=http://user1:p%40ssword@proxy.corp.com:8080 &&
    NO_PROXY=localhost,127.0.0.1,localaddress,corp.com,10.0.0.0/8
    Note: The HTTP_PROXY and HTTPS_PROXY are redirects so you can have the HTTPS_PROXY redirect HTTPS traffic to an HTTP URL.
  2. Update the system's cacerts to trust the CA certificate from the proxy itself by adding the certificate in PEM encoding to /etc/pki/ca-trust/source/anchors, and then run:
    sudo update-ca-trust
  3. Restart the Kubernetes K3s:
    sudo systemctl restart k3s
  4. When the restart is done, enter the following command to list all of the system containers. Verify that their status is Running or Completed.
    sudo kubectl get pods -n kube-system
Important: If you use a proxy server between the Edge Gateway and the platform, use the --https-proxy-url option. You can use --https-from-http with --http-proxy-url if the HTTP and HTTPS proxy are the same. The --http-proxy-url by itself is not supported.

If you use the --no-proxy option between the Edge Gateway and the platform, specify the fully qualified domain name (FQDN) or the IP address that is specified as the host in the app.config file. Wildcard and IP address ranges are not supported only between the Edge Gateway and the platform.

Complete the following to configure the proxy settings for each instance of the Edge Gateway. You must pair the Edge Gateway before configuring the connection to a proxy server.
  • If you installed the Edge Gateway, you can configure the Edge Gateway to connect through the proxy using the following command.
    manageAppHost proxy --http-proxy-url <http://URL:port# of proxy>
    If proxy authentication is required, enter the following command instead. You are prompted for the proxy password.
    manageAppHost proxy --http-proxy-url <http://URL:port# of proxy> --proxy-user <user>

    If there are multiple paired Edge Gateway on the system, you are prompted to select the Edge Gateway to configure.

  • If you have not installed the Edge Gateway, you can enter the proxy setting as follows:
    manageAppHost install --http-proxy-url <http://URL:port# of proxy>
    If proxy authentication is required, enter the following command instead: you are prompted for the proxy password:
    manageAppHost install --http-proxy-url <http://URL:port# of proxy> --proxy-user <user>
If you need to clear the proxy setting, use the following command:
manageAppHost proxy --clear