Add IPv6 forward proxy support for connected cluster deployments#757
Conversation
|
#443 FYSA |
Implement Squid forward proxy on bastion to enable IPv6-only clusters to access external container registries (quay.io, registry.redhat.io) without requiring a local mirror registry. New features: - Add bastion-proxy role deploying Squid container with IPv6 support - Configure cluster and infra-env with proxy settings via Assisted Installer API - Add setup_bastion_proxy variable (mutually exclusive with bastion registry) Key implementation details: - Bastion has dual-stack connectivity, so only cluster nodes use proxy - Discovery ISO automatically gets proxy config via infra-env API - no_proxy includes bastion hostname for direct API access Signed-off-by: Marius Cornea <mcornea@redhat.com>
Signed-off-by: Marius Cornea <mcornea@redhat.com>
ansible/vars/all.sample.yml
Outdated
| # Proxy settings (defaults provided, override as needed) | ||
| # proxy_port: 3128 | ||
| # proxy_cache_size_mb: 10000 |
There was a problem hiding this comment.
Do we need these defaults exposed in the all.sample.yml? I have tried to keep the all.sample.yml down to the minimum number of vars to prevent users from adjusting vars that rarely need to be changed.
There was a problem hiding this comment.
Nope, they're available in the role defaults. I removed them from all.sample.yml
| # Proxy configuration | ||
| proxy_type: squid | ||
| proxy_port: 3128 | ||
| proxy_container_image: docker.io/ubuntu/squid:latest |
There was a problem hiding this comment.
Do we have a quay hosted equivalent?
There was a problem hiding this comment.
+1, let's avoid docker.io as much as possible in the labs
There was a problem hiding this comment.
Updated to use quay.io/konflux-ci/caching/squid:latest which seems well maintained using a recent squid version.
| - name: Pull squid container image | ||
| containers.podman.podman_image: | ||
| name: "{{ proxy_container_image }}" | ||
| state: present |
There was a problem hiding this comment.
Is it needed to have this task? I don't see it for any other of the "Standard" podman containers running.
There was a problem hiding this comment.
It's not necessary. The image also gets pulled when running the container if not present. I removed it.
|
I was able to deploy an SNO with this that was ipv6 without a bastion mirror registry so it is definitely neat. I had a few comments I added and was also curious if with should place the squid proxy container inside a podman pod similar to how assisted-service and the http server are setup or if there isn't any real benefit then we could keep it as a standalone container. WDYT? |
Sure, I updated the logic to run the squid container inside a pod to be consistent with the other components. |
Signed-off-by: Marius Cornea <mcornea@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akrzos The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 4acbfc0
into
redhat-performance:main
4 participants
Implement Squid forward proxy on bastion to enable IPv6-only clusters to access external container registries (quay.io, registry.redhat.io) without requiring a local mirror registry.
New features:
Key implementation details: