Version 1.8 of Anthos clusters on AWS adds the ability to modify a cluster's proxy settings without recreating a cluster.
Changing the proxy for your management service
To modify proxy settings for your Anthos clusters on AWS management service, perform the following steps:
Update the contents of the management service's proxy.json file, as described in Creating the Proxy Config JSON File.
anthos-gke aws management initand
anthos-gke aws management applyto apply your changes to the management service.
Changing the proxy for your user cluster
When you create a user cluster, it uses the management service's proxy settings.
To change the proxy settings for a user cluster without changing those
of the management service, you must create a Kubernetes Secret
containing the proxy information, then use
kubectl to apply the changes.
Create a Kubernetes Secret
First, create a YAML file with the following contents to describe the Secret. The Secret must be defined as opaque and immutable. This example uses the file name
apiVersion: v1 kind: Secret metadata: name: PROXY_SECRET type: Opaque immutable: true stringData: # You can include additional key value pairs as you do with Opaque Secrets httpProxy: HTTP_PROXY httpsProxy: HTTPS_PROXY noProxy: NO_PROXY_LIST
- HTTP_PROXY with the proxy server address to route HTTP requests through
- HTTPS_PROXY with an optional proxy server address to route HTTPS requests through
- NO_PROXY_LIST with an optional list of IPs, CIDR ranges, and domains within your VPN for which a proxy should not be used
- PROXY_SECRET with the name you choose for the Secret
Apply your changes to create the Secret:
env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f ./proxy-secret.yaml
Update the user cluster and node pool configs
Next, update the AWSCluster and AWSNodePool
configuration to refer to the Secret name under
Finally, issue the following command to update your user cluster.
env HTTPS_PROXY=http://localhost:8118 \ kubectl apply -f CLUSTER_YAML_FILE
Replace CLUSTER_YAML_FILE with the name of the yaml file that defines your cluster.
User cluster status changes
After you run the
kubectl apply command to apply the new proxy settings,
the user cluster status will change from
Provisioned when done.
Setting proxies for more than one user cluster
If you have several user clusters and want to configure different proxies for each of them, follow the Changing the proxy for your user cluster instructions for each of your clusters. You must create a different Kubernetes Secret for each proxy, and must update each user cluster config separately to refer to the name of the Secret for that user cluster.
Rotating proxies for a user cluster
To change the proxy settings for a cluster that already has individual proxy settings, create and apply a new Secret with the new proxy settings and a different Secret name. If you reuse the current Secret name, the cluster's proxy settings will not be changed.
If the Secret is not well-formed or is missing required keys, the command fails and the change isn't applied. To check if your Secret was correctly validated, look at the Kubernetes Event log for AWSClusters and AWSNodePools with the following command:
env HTTPS_PROXY=http://localhost:8118 \ kubectl get events
If there was an error in your Secret configuration, delete the Secret with the following command:
env HTTPS_PROXY=http://localhost:8118 \ kubectl delete secret SECRET_NAME
Replace SECRET_NAME with the name of your Secret.
Then re-create the Secret with a correctly-formatted proxy Secret YAML file and re-apply the change. You can use the same Secret name as was used in the first attempt.
For more information
To configure proxy settings for the first time, see Using a proxy.
To create a dedicated AWS VPC, see Installing the management service.