Introduction

In a lot of enterprise environments, servers or VMs running on premises do not have direct Internet access. Instead, the connection to external services is done through a HTTP(S) proxy for security reasons. This tutorial shows you how to set up an Elemental deployment in such an environment.

Elemental behind proxy - 图1important note

This guide will not cover the Rancher installation behind a proxy. It’s a different use case and you can find the detailed documentation here.

Elemental behind proxy - 图2info

For this documentation, we assume you are using a SUSE family system (like SLE Micro), so proxy settings have to be written in /etc/sysconfig/proxy.

Proxy settings must be configured in the following locations:

  • Machine Registration Endpoint
  • SeedImage resource
  • Elemental cluster configuration

The elemental-system-agent needs proxy settings to reach the Rancher Manager. To achieve that, you need to fill the cloud-init section of the Machine Registration Endpoint.

You can do it either with UI or CLI.

  • CLI
  • UI

registration.yaml

  1. apiVersion: elemental.cattle.io/v1beta1
  2. kind: MachineRegistration
  3. metadata:
  4. name: my-nodes
  5. namespace: fleet-default
  6. spec:
  7. config:
  8. cloud-config:
  9. write_files:
  10. - path: /etc/sysconfig/proxy
  11. append: true
  12. content: |
  13. PROXY_ENABLED="yes"
  14. HTTP_PROXY=http://<MY_PROXY>:<MY_PORT>
  15. HTTPS_PROXY=https://<MY_PROXY>:<MY_PORT>
  16. NO_PROXY="localhost, 127.0.0.1"
  17. users:
  18. - name: root
  19. passwd: root
  20. elemental:
  21. install:
  22. reboot: true
  23. device: /dev/sda
  24. debug: true
  25. registration:
  26. emulate-tpm: true

Add proxy settings in Machine Registration

Elemental-register

Elemental-register is the first communication endpoint between the new host and Rancher Manager, this is the first place where proxy settings need to be set.

Elemental behind proxy - 图4warning

At the time of writing, it’s only possible to configure proxy settings for the ISO with the CLI. The proxy settings aren’t implemented in the UI.

The process happens when you boot your Elemental ISO for the first time, in order to configure the proxy settings you have to include a cloud-init definition in the ISO. To do that, you have to create a SeedImage definition.

seedimage.yaml

  1. apiVersion: elemental.cattle.io/v1beta1
  2. kind: SeedImage
  3. metadata:
  4. name: ...
  5. namespace: ...
  6. spec:
  7. baseImage: registry.suse.com/suse/sle-micro-iso/5.5:2.0.2
  8. cloud-config:
  9. write_files:
  10. - path: /etc/sysconfig/proxy
  11. append: true
  12. content: |
  13. PROXY_ENABLED="yes"
  14. HTTP_PROXY=http://<MY_PROXY>:<MY_PORT>
  15. HTTPS_PROXY=https://<MY_PROXY>:<MY_PORT>
  16. NO_PROXY="localhost, 127.0.0.1"
  17. registrationRef:
  18. apiVersion: elemental.cattle.io/v1beta1
  19. kind: MachineRegistration
  20. name: ...
  21. namespace: ...

Apply the YAML with kubectl and then, print your SeedImage definition to get the URL to download it:

  1. kubectl apply -f <my_seedimage_yaml_file>
  2. kubectl get seedimage <seed_image_name> -n <namespace> -o yaml

Boot the ISO and you should see your new system appears in Machine inventory.

Create Elemental cluster

For this step, you can use either the UI or CLI.

  • CLI
  • UI

cluster.yaml

  1. kind: Cluster
  2. apiVersion: provisioning.cattle.io/v1
  3. metadata:
  4. name: my-cluster
  5. namespace: fleet-default
  6. spec:
  7. agentEnvVars:
  8. - name: HTTP_PROXY
  9. value: http://<MY_PROXY>:<MY_PORT>
  10. - name: HTTPS_PROXY
  11. value: https://<MY_PROXY>:<MY_PORT>
  12. - name: NO_PROXY
  13. value: localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
  14. rkeConfig:
  15. machineGlobalConfig:
  16. etcd-expose-metrics: false
  17. profile: null
  18. machinePools:
  19. - controlPlaneRole: true
  20. etcdRole: true
  21. machineConfigRef:
  22. apiVersion: elemental.cattle.io/v1beta1
  23. kind: MachineInventorySelectorTemplate
  24. name: my-machine-selector
  25. name: pool1
  26. quantity: 1
  27. unhealthyNodeTimeout: 0s
  28. workerRole: true
  29. machineSelectorConfig:
  30. - config:
  31. protect-kernel-defaults: false
  32. registries: {}
  33. kubernetesVersion: v1.24.8+k3s1

You can see that proxy settings are added below agentEnvVars.

Add proxy settings for Elemental cluster