This documentation is for the previous generation of Anthos clusters on AWS. For the current generation, see Anthos clusters on AWS.

Changing Cluster Proxy Settings

Version 1.8 of Anthos clusters on AWS adds the ability to modify a cluster's proxy settings without recreating a cluster.

Changing the proxy for your management service

To modify proxy settings for your Anthos clusters on AWS management service, perform the following steps:

  1. Update the contents of the management service's proxy.json file, as described in Creating the Proxy Config JSON File.

  2. Re-run anthos-gke aws management init and anthos-gke aws management apply to apply your changes to the management service.

Changing the proxy for your user cluster

When you create a user cluster, it uses the management service's proxy settings. To change the proxy settings for a user cluster without changing those of the management service, you must create a Kubernetes Secret containing the proxy information, then use kubectl to apply the changes.

Create a Kubernetes Secret

  1. First, create a YAML file with the following contents to describe the Secret. The Secret must be defined as opaque and immutable. This example uses the file name proxy-secret.yaml.

     apiVersion: v1
     kind: Secret
     metadata:
       name: PROXY_SECRET
     type: Opaque
     immutable: true
     stringData:
       # You can include additional key value pairs as you do with Opaque Secrets
       httpProxy: HTTP_PROXY
       httpsProxy: HTTPS_PROXY
       noProxy: NO_PROXY_LIST
     

    Replace:

    • HTTP_PROXY with the proxy server address to route HTTP requests through
    • HTTPS_PROXY with an optional proxy server address to route HTTPS requests through
    • NO_PROXY_LIST with an optional list of IPs, CIDR ranges, and domains within your VPN for which a proxy should not be used
    • PROXY_SECRET with the name you choose for the Secret
  2. Apply your changes to create the Secret:

    env HTTPS_PROXY=http://localhost:8118 \
       kubectl apply -f ./proxy-secret.yaml
    

Update the user cluster and node pool configs

Next, update the AWSCluster and AWSNodePool configuration to refer to the Secret name under spec.proxySecretName and spec.controlPlane.proxySecretName respectively.

Finally, issue the following command to update your user cluster.

   env HTTPS_PROXY=http://localhost:8118 \
     kubectl apply -f CLUSTER_YAML_FILE

Replace CLUSTER_YAML_FILE with the name of the yaml file that defines your cluster.

User cluster status changes

After you run the kubectl apply command to apply the new proxy settings, the user cluster status will change from Provisioned to Updating, then return to Provisioned when done.

Setting proxies for more than one user cluster

If you have several user clusters and want to configure different proxies for each of them, follow the Changing the proxy for your user cluster instructions for each of your clusters. You must create a different Kubernetes Secret for each proxy, and must update each user cluster config separately to refer to the name of the Secret for that user cluster.

Rotating proxies for a user cluster

To change the proxy settings for a cluster that already has individual proxy settings, create and apply a new Secret with the new proxy settings and a different Secret name. If you reuse the current Secret name, the cluster's proxy settings will not be changed.

Troubleshooting

If the Secret is not well-formed or is missing required keys, the command fails and the change isn't applied. To check if your Secret was correctly validated, look at the Kubernetes Event log for AWSClusters and AWSNodePools with the following command:

   env HTTPS_PROXY=http://localhost:8118 \
     kubectl get events

If there was an error in your Secret configuration, delete the Secret with the following command:

  env HTTPS_PROXY=http://localhost:8118 \
    kubectl delete secret SECRET_NAME
  

Replace SECRET_NAME with the name of your Secret.

Then re-create the Secret with a correctly-formatted proxy Secret YAML file and re-apply the change. You can use the same Secret name as was used in the first attempt.

For more information

To configure proxy settings for the first time, see Using a proxy.

To create a dedicated AWS VPC, see Installing the management service.