From f81d0a73309af9d205c7630f291d340026ac30ab Mon Sep 17 00:00:00 2001 From: Marius Cornea Date: Mon, 19 Jan 2026 16:35:23 +0200 Subject: [PATCH 1/3] Add IPv6 forward proxy support for connected cluster deployments Implement Squid forward proxy on bastion to enable IPv6-only clusters to access external container registries (quay.io, registry.redhat.io) without requiring a local mirror registry. New features: - Add bastion-proxy role deploying Squid container with IPv6 support - Configure cluster and infra-env with proxy settings via Assisted Installer API - Add setup_bastion_proxy variable (mutually exclusive with bastion registry) Key implementation details: - Bastion has dual-stack connectivity, so only cluster nodes use proxy - Discovery ISO automatically gets proxy config via infra-env API - no_proxy includes bastion hostname for direct API access Signed-off-by: Marius Cornea --- .../bastion-proxy/defaults/main/main.yml | 26 ++++++ ansible/roles/bastion-proxy/handlers/main.yml | 8 ++ ansible/roles/bastion-proxy/tasks/main.yml | 83 +++++++++++++++++++ .../bastion-proxy/templates/squid.conf.j2 | 56 +++++++++++++ .../roles/create-ai-cluster/tasks/main.yml | 32 ++++++- ansible/roles/validate-vars/tasks/main.yml | 14 ++++ ansible/setup-bastion.yml | 4 +- ansible/vars/all.sample.yml | 9 ++ 8 files changed, 229 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/bastion-proxy/defaults/main/main.yml create mode 100644 ansible/roles/bastion-proxy/handlers/main.yml create mode 100644 ansible/roles/bastion-proxy/tasks/main.yml create mode 100644 ansible/roles/bastion-proxy/templates/squid.conf.j2 diff --git a/ansible/roles/bastion-proxy/defaults/main/main.yml b/ansible/roles/bastion-proxy/defaults/main/main.yml new file mode 100644 index 00000000..c5eb39ec --- /dev/null +++ b/ansible/roles/bastion-proxy/defaults/main/main.yml @@ -0,0 +1,26 @@ +--- +# Bastion proxy defaults + +# Proxy configuration +proxy_type: squid +proxy_port: 3128 +proxy_container_image: docker.io/ubuntu/squid:latest + +# Cache configuration (persistent across reboots) +proxy_cache_dir: /opt/squid/cache +proxy_conf_dir: /opt/squid/conf +proxy_cache_size_mb: 10000 +proxy_max_object_size_mb: 4096 + +# IPv6 settings +proxy_listen_ipv6: true + +# ACL - which hosts can use the proxy (auto-populated from controlplane_network) +proxy_allowed_networks: "{{ controlplane_network }}" + +# Computed proxy URL for use by other roles +proxy_url: "http://{{ groups['bastion'][0] }}:{{ proxy_port }}" +proxy_host: "{{ groups['bastion'][0] }}" + +# No proxy list (hosts that should bypass the proxy) +proxy_no_proxy: "localhost,127.0.0.1,.{{ base_dns_name }},{{ controlplane_network | join(',') }}" diff --git a/ansible/roles/bastion-proxy/handlers/main.yml b/ansible/roles/bastion-proxy/handlers/main.yml new file mode 100644 index 00000000..d2a01e4c --- /dev/null +++ b/ansible/roles/bastion-proxy/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# Bastion proxy handlers + +- name: Restart squid proxy + containers.podman.podman_container: + name: squid-proxy + state: started + restart: true diff --git a/ansible/roles/bastion-proxy/tasks/main.yml b/ansible/roles/bastion-proxy/tasks/main.yml new file mode 100644 index 00000000..73d83842 --- /dev/null +++ b/ansible/roles/bastion-proxy/tasks/main.yml @@ -0,0 +1,83 @@ +--- +# Bastion proxy tasks - Deploy Squid forward proxy + +- name: Create squid directories + file: + path: "{{ item }}" + state: directory + mode: '0777' + loop: + - "{{ proxy_cache_dir }}" + - "{{ proxy_conf_dir }}" + - /var/log/squid + +- name: Template squid configuration + template: + src: squid.conf.j2 + dest: "{{ proxy_conf_dir }}/squid.conf" + mode: '0644' + notify: Restart squid proxy + +- name: Pull squid container image + containers.podman.podman_image: + name: "{{ proxy_container_image }}" + state: present + +- name: Stop existing squid containers + containers.podman.podman_container: + name: "{{ item }}" + state: absent + loop: + - squid-proxy + - squid-init + failed_when: false + +- name: Initialize squid cache directory + containers.podman.podman_container: + name: squid-init + image: "{{ proxy_container_image }}" + state: started + rm: true + user: root + command: sh -c "chown -R proxy:proxy /var/spool/squid /var/log/squid && squid -z -N" + volumes: + - "{{ proxy_conf_dir }}/squid.conf:/etc/squid/squid.conf:z" + - "{{ proxy_cache_dir }}:/var/spool/squid:z" + - /var/log/squid:/var/log/squid:z + register: squid_init + failed_when: false + +- name: Wait for cache initialization + pause: + seconds: 3 + when: squid_init.changed + +- name: Run squid proxy container + containers.podman.podman_container: + name: squid-proxy + image: "{{ proxy_container_image }}" + state: started + restart_policy: always + network_mode: host + volumes: + - "{{ proxy_conf_dir }}/squid.conf:/etc/squid/squid.conf:z" + - "{{ proxy_cache_dir }}:/var/spool/squid:z" + - /var/log/squid:/var/log/squid:z + +- name: Open firewall port for proxy + firewalld: + port: "{{ proxy_port }}/tcp" + permanent: true + immediate: true + state: enabled + when: ansible_facts.services['firewalld.service'] is defined + +- name: Verify squid proxy is responding + uri: + url: "http://localhost:{{ proxy_port }}" + method: GET + status_code: [400, 403] + register: proxy_check + retries: 5 + delay: 3 + until: proxy_check.status in [400, 403] diff --git a/ansible/roles/bastion-proxy/templates/squid.conf.j2 b/ansible/roles/bastion-proxy/templates/squid.conf.j2 new file mode 100644 index 00000000..b880a058 --- /dev/null +++ b/ansible/roles/bastion-proxy/templates/squid.conf.j2 @@ -0,0 +1,56 @@ +# Squid configuration for IPv6 forward proxy +# Generated by Jetlag bastion-proxy role + +# Listening ports - IPv4 and IPv6 +http_port {{ proxy_port }} +{% if proxy_listen_ipv6 %} +http_port [::]:{{ proxy_port }} +{% endif %} + +# Cache configuration for container images +cache_mem 256 MB +maximum_object_size {{ proxy_max_object_size_mb }} MB +cache_dir ufs /var/spool/squid {{ proxy_cache_size_mb }} 16 256 + +# Logging +access_log daemon:/var/log/squid/access.log squid +cache_log /var/log/squid/cache.log + +# ACL definitions +{% for network in proxy_allowed_networks %} +acl localnet src {{ network }} +{% endfor %} + +# Safe ports (standard HTTP/HTTPS) +acl SSL_ports port 443 +acl Safe_ports port 80 +acl Safe_ports port 443 +acl CONNECT method CONNECT + +# Deny requests to unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to non-SSL ports +http_access deny CONNECT !SSL_ports + +# Allow HTTPS CONNECT tunneling (required for container registries) +http_access allow CONNECT SSL_ports + +# Allow access from local networks +http_access allow localnet + +# Allow localhost +http_access allow localhost + +# Deny all other access +http_access deny all + +# DNS settings - use system resolver +dns_nameservers {{ controlplane_network[0] | ansible.utils.nthhost(1) }} + +# Refresh patterns for container images (cache aggressively) +refresh_pattern -i \.(rpm|deb|tar|gz|tgz|bz2|xz)$ 10080 90% 43200 +refresh_pattern . 0 20% 4320 + +# Shutdown behavior +shutdown_lifetime 5 seconds diff --git a/ansible/roles/create-ai-cluster/tasks/main.yml b/ansible/roles/create-ai-cluster/tasks/main.yml index f1e12fbf..6fb4dcde 100644 --- a/ansible/roles/create-ai-cluster/tasks/main.yml +++ b/ansible/roles/create-ai-cluster/tasks/main.yml @@ -68,7 +68,12 @@ ], "pull_secret": {{ pull_secret | tojson | tojson }}, "ssh_public_key": "{{ lookup('file', ssh_public_key_file) }}", - "additional_ntp_source": "{{ controlplane_network[0] | ansible.utils.nthhost(1) if (lab in cloud_labs) or use_bastion_registry else labs[lab]['ntp_server'] }}" + {% if setup_bastion_proxy | default(false) %} + "http_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "https_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "no_proxy": "{{ proxy_no_proxy | default('localhost,127.0.0.1,.' + base_dns_name + ',' + groups['bastion'][0] + ',' + controlplane_network | join(',')) }}", + {% endif %} + "additional_ntp_source": "{{ controlplane_network[0] | ansible.utils.nthhost(1) if (lab in cloud_labs) or use_bastion_registry or setup_bastion_proxy | default(false) else labs[lab]['ntp_server'] }}" } - name: SNO - Add entries in /etc/hosts @@ -149,7 +154,12 @@ "pull_secret": {{ pull_secret | tojson | tojson }}, "ssh_public_key": "{{ lookup('file', ssh_public_key_file) }}", "vip_dhcp_allocation": {{ vip_dhcp_allocation }}, - "additional_ntp_source": "{{ controlplane_network[0] | ansible.utils.nthhost(1) if (lab in cloud_labs) or use_bastion_registry else labs[lab]['ntp_server'] }}", + {% if setup_bastion_proxy | default(false) %} + "http_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "https_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "no_proxy": "{{ proxy_no_proxy | default('localhost,127.0.0.1,.' + base_dns_name + ',' + groups['bastion'][0] + ',' + controlplane_network | join(',')) }}", + {% endif %} + "additional_ntp_source": "{{ controlplane_network[0] | ansible.utils.nthhost(1) if (lab in cloud_labs) or use_bastion_registry or setup_bastion_proxy | default(false) else labs[lab]['ntp_server'] }}", "network_type": "OVNKubernetes" } @@ -257,6 +267,24 @@ } when: use_bastion_registry | default(false) +- name: Patch infra-env for proxy configuration + uri: + url: "http://{{ assisted_installer_host }}:{{ assisted_installer_port }}/api/assisted-install/v2/infra-envs/{{ ai_infraenv_id }}" + method: PATCH + body_format: json + status_code: [201] + return_content: true + body: { + "proxy": { + "http_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "https_proxy": "http://{{ proxy_host | default(groups['bastion'][0]) }}:{{ proxy_port | default(3128) }}", + "no_proxy": "{{ proxy_no_proxy | default('localhost,127.0.0.1,.' + base_dns_name + ',' + groups['bastion'][0] + ',' + controlplane_network | join(',')) }}" + } + } + when: + - setup_bastion_proxy | default(false) + - not use_bastion_registry | default(false) + # Disable lab interface manifests, skip if SNO has sno_use_lab_dhcp=true - name: Include custom manifests to disable the lab interface (RH Labs & BYOL) include_tasks: 01_manifest_update.yml diff --git a/ansible/roles/validate-vars/tasks/main.yml b/ansible/roles/validate-vars/tasks/main.yml index 197f6ae5..70298528 100644 --- a/ansible/roles/validate-vars/tasks/main.yml +++ b/ansible/roles/validate-vars/tasks/main.yml @@ -66,6 +66,20 @@ - enable_bond_vlan | default(false) - bond_vlan_id | default(10) < 1 or bond_vlan_id | default(10) > 4094 +- name: Validate setup_bastion_proxy and setup_bastion_registry are mutually exclusive + fail: + msg: "setup_bastion_proxy and setup_bastion_registry cannot both be true. Use either a forward proxy OR a local mirror registry, not both." + when: + - setup_bastion_proxy | default(false) + - setup_bastion_registry | default(false) + +- name: Validate setup_bastion_proxy and use_bastion_registry are mutually exclusive + fail: + msg: "setup_bastion_proxy and use_bastion_registry cannot both be true. Use either a forward proxy OR a local mirror registry, not both." + when: + - setup_bastion_proxy | default(false) + - use_bastion_registry | default(false) + - name: Check for RHEL/Centos (Bastion Validation) fail: msg: "Expecting RHEL or Centos for a Bastion OS" diff --git a/ansible/setup-bastion.yml b/ansible/setup-bastion.yml index 23b89ce3..3923b08b 100644 --- a/ansible/setup-bastion.yml +++ b/ansible/setup-bastion.yml @@ -32,8 +32,10 @@ when: - setup_bastion_registry - sync_ocp_release | default(false) + - role: bastion-proxy + when: setup_bastion_proxy | default(false) - bastion-assisted-installer - role: bastion-gogs when: setup_bastion_gogs - role: bastion-disconnected-haproxy - when: use_bastion_registry + when: use_bastion_registry or setup_bastion_proxy | default(false) diff --git a/ansible/vars/all.sample.yml b/ansible/vars/all.sample.yml index 26e5632d..04df6566 100644 --- a/ansible/vars/all.sample.yml +++ b/ansible/vars/all.sample.yml @@ -72,6 +72,15 @@ setup_bastion_registry: false # Use in conjunction with ipv6 based clusters use_bastion_registry: false +# Set to enable a forward proxy (Squid) for IPv6 clusters to access external registries +# This is an alternative to setup_bastion_registry - use one or the other +# When enabled, cluster nodes use the proxy to reach quay.io, registry.redhat.io, etc. +setup_bastion_proxy: false + +# Proxy settings (defaults provided, override as needed) +# proxy_port: 3128 +# proxy_cache_size_mb: 10000 + # Reset iDRAC service using badfish container (pulls and uses badfish container # to clear job queue and reset iDRAC service) # reset_idrac: false From fd628bff57717aa6990670c07fa767485e696abe Mon Sep 17 00:00:00 2001 From: Marius Cornea Date: Wed, 18 Feb 2026 17:54:49 +0200 Subject: [PATCH 2/3] update self-sched-deploy script for ipv6 proxy Signed-off-by: Marius Cornea --- scripts/self-sched-deploy/Makefile | 12 ++++++++---- scripts/self-sched-deploy/README.md | 6 +++++- scripts/self-sched-deploy/prompt-config.sh | 22 ++++++++++++++++++++++ 3 files changed, 35 insertions(+), 5 deletions(-) diff --git a/scripts/self-sched-deploy/Makefile b/scripts/self-sched-deploy/Makefile index df143053..76fc7e5d 100644 --- a/scripts/self-sched-deploy/Makefile +++ b/scripts/self-sched-deploy/Makefile @@ -189,10 +189,14 @@ inventory-run: sed -i 's/^use_bastion_registry: true$$/use_bastion_registry: false/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ elif [ "$$NETWORK_STACK" = "ipv6" ]; then \ sed -i '/^# Single Stack IPv6:/,/^$$/{/^# [a-z]/s/^# //; /^# - /s/^# //;}' $(JETLAG_ROOT)/ansible/vars/all.yml; \ - sed -i 's/^setup_bastion_registry: false$$/setup_bastion_registry: true/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ - sed -i 's/^use_bastion_registry: false$$/use_bastion_registry: true/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ - echo 'sync_operator_index: true' >> $(JETLAG_ROOT)/ansible/vars/all.yml; \ - echo 'sync_ocp_release: true' >> $(JETLAG_ROOT)/ansible/vars/all.yml; \ + if [ "$$IPV6_MODE" = "disconnected" ]; then \ + sed -i 's/^setup_bastion_registry: false$$/setup_bastion_registry: true/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ + sed -i 's/^use_bastion_registry: false$$/use_bastion_registry: true/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ + echo 'sync_operator_index: true' >> $(JETLAG_ROOT)/ansible/vars/all.yml; \ + echo 'sync_ocp_release: true' >> $(JETLAG_ROOT)/ansible/vars/all.yml; \ + else \ + sed -i 's/^setup_bastion_proxy: false$$/setup_bastion_proxy: true/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ + fi; \ elif [ "$$NETWORK_STACK" = "dual" ]; then \ sed -i '/^# Dual Stack/,/^$$/{/^# [a-z]/s/^# //; /^# - /s/^# //;}' $(JETLAG_ROOT)/ansible/vars/all.yml; \ sed -i 's/^setup_bastion_registry: true$$/setup_bastion_registry: false/' $(JETLAG_ROOT)/ansible/vars/all.yml; \ diff --git a/scripts/self-sched-deploy/README.md b/scripts/self-sched-deploy/README.md index 08b1db42..edb9da8e 100644 --- a/scripts/self-sched-deploy/README.md +++ b/scripts/self-sched-deploy/README.md @@ -99,6 +99,7 @@ The interactive prompts collect the following: - **Cluster Type**: `mno` (Multi-Node OpenShift) or `sno` (Single-Node OpenShift) - **Worker Count**: Number of worker nodes (MNO only) - **Network Stack**: `ipv4`, `ipv6`, or `dual` (dual-stack) +- **IPv6 Mode** (IPv6 only): `proxy` (connected via forward proxy) or `disconnected` (local mirror registry) ### Paths - **Pull Secret**: Path to your `pull-secret.txt` file (default: jetlag root) @@ -136,7 +137,10 @@ When you run any target, the tool checks for an existing assignment in `vars/sta Standard IPv4-only deployment. No special requirements. ### IPv6 Single-Stack -IPv6-only deployment. Automatically enables bastion registry for disconnected installation. +IPv6-only deployment. When selected, an additional prompt asks for the connectivity mode: + +- **proxy** (default): Connected deployment via a Squid forward proxy on the bastion. The bastion's dual-stack connectivity provides outbound access for the IPv6 cluster. No local registry mirror or image syncing required. +- **disconnected**: Full disconnected deployment with a local mirror registry (`setup_bastion_registry`, `use_bastion_registry`) and image syncing (`sync_operator_index`, `sync_ocp_release`). ### Dual-Stack Both IPv4 and IPv6. Standard connected installation using the IPv4 network. diff --git a/scripts/self-sched-deploy/prompt-config.sh b/scripts/self-sched-deploy/prompt-config.sh index 23f9c31a..af6fbbad 100755 --- a/scripts/self-sched-deploy/prompt-config.sh +++ b/scripts/self-sched-deploy/prompt-config.sh @@ -187,6 +187,21 @@ collect_jetlag_config() { 3|dual) NETWORK_STACK="dual" ;; esac + # IPv6 connectivity mode + if [[ "$NETWORK_STACK" == "ipv6" ]]; then + echo "" + echo "IPv6 connectivity mode:" + echo "1) proxy - Connected via forward proxy (Squid on bastion)" + echo "2) disconnected - Disconnected with local mirror registry" + prompt_with_options "Select IPv6 mode" "proxy, disconnected" "${IPV6_MODE:-proxy}" IPV6_MODE + + # Normalize input + case "$IPV6_MODE" in + 1|proxy) IPV6_MODE="proxy" ;; + 2|disconnected) IPV6_MODE="disconnected" ;; + esac + fi + print_header "Pull Secret" # Default pull secret path is in jetlag root @@ -241,6 +256,7 @@ DEPLOY_PLAYBOOK="${DEPLOY_PLAYBOOK}" # Network Configuration NETWORK_STACK="${NETWORK_STACK}" +IPV6_MODE="${IPV6_MODE}" # Paths PULL_SECRET_PATH="${PULL_SECRET_PATH}" @@ -304,6 +320,9 @@ display_jetlag_summary() { echo "OCP Build: $OCP_BUILD" echo "OCP Version: $OCP_VERSION" echo "Network Stack: $NETWORK_STACK" + if [[ "$NETWORK_STACK" == "ipv6" ]]; then + echo "IPv6 Mode: $IPV6_MODE" + fi echo "Pull Secret: $PULL_SECRET_PATH" if [[ -n "$BASTION_ROOT_PASSWORD" ]]; then echo "Bastion Password: (provided)" @@ -333,6 +352,9 @@ display_full_summary() { echo "Worker Nodes: $WORKER_NODE_COUNT" echo "Hosts to Reserve: $NUM_HOSTS" echo "Network Stack: $NETWORK_STACK" + if [[ "$NETWORK_STACK" == "ipv6" ]]; then + echo "IPv6 Mode: $IPV6_MODE" + fi echo "Pull Secret: $PULL_SECRET_PATH" echo "Workload: $WORKLOAD_NAME" if [[ -n "$BASTION_ROOT_PASSWORD" ]]; then From dbc243031d435bf800c1c211fadd78e99a0f7d95 Mon Sep 17 00:00:00 2001 From: Marius Cornea Date: Thu, 26 Feb 2026 16:04:02 +0200 Subject: [PATCH 3/3] replace squid image and remove proxy setting from all.sample.yml Signed-off-by: Marius Cornea --- .../bastion-proxy/defaults/main/main.yml | 2 +- ansible/roles/bastion-proxy/handlers/main.yml | 5 +- ansible/roles/bastion-proxy/tasks/main.yml | 51 ++++++------------- ansible/vars/all.sample.yml | 4 -- 4 files changed, 18 insertions(+), 44 deletions(-) diff --git a/ansible/roles/bastion-proxy/defaults/main/main.yml b/ansible/roles/bastion-proxy/defaults/main/main.yml index c5eb39ec..efc978c5 100644 --- a/ansible/roles/bastion-proxy/defaults/main/main.yml +++ b/ansible/roles/bastion-proxy/defaults/main/main.yml @@ -4,7 +4,7 @@ # Proxy configuration proxy_type: squid proxy_port: 3128 -proxy_container_image: docker.io/ubuntu/squid:latest +proxy_container_image: quay.io/konflux-ci/caching/squid:latest # Cache configuration (persistent across reboots) proxy_cache_dir: /opt/squid/cache diff --git a/ansible/roles/bastion-proxy/handlers/main.yml b/ansible/roles/bastion-proxy/handlers/main.yml index d2a01e4c..55b119fb 100644 --- a/ansible/roles/bastion-proxy/handlers/main.yml +++ b/ansible/roles/bastion-proxy/handlers/main.yml @@ -2,7 +2,6 @@ # Bastion proxy handlers - name: Restart squid proxy - containers.podman.podman_container: + containers.podman.podman_pod: name: squid-proxy - state: started - restart: true + state: restarted diff --git a/ansible/roles/bastion-proxy/tasks/main.yml b/ansible/roles/bastion-proxy/tasks/main.yml index 73d83842..d603e418 100644 --- a/ansible/roles/bastion-proxy/tasks/main.yml +++ b/ansible/roles/bastion-proxy/tasks/main.yml @@ -18,51 +18,30 @@ mode: '0644' notify: Restart squid proxy -- name: Pull squid container image - containers.podman.podman_image: - name: "{{ proxy_container_image }}" - state: present +- name: Create squid-proxy pod + containers.podman.podman_pod: + name: squid-proxy + network: host + state: started -- name: Stop existing squid containers - containers.podman.podman_container: - name: "{{ item }}" - state: absent - loop: - - squid-proxy - - squid-init - failed_when: false +- name: Ensure squid-proxy pod is up + containers.podman.podman_pod: + name: squid-proxy + network: host + state: restarted -- name: Initialize squid cache directory +- name: Create squid proxy container in squid-proxy pod containers.podman.podman_container: - name: squid-init + pod: squid-proxy + network: host + name: squid image: "{{ proxy_container_image }}" - state: started - rm: true user: root - command: sh -c "chown -R proxy:proxy /var/spool/squid /var/log/squid && squid -z -N" - volumes: + volume: - "{{ proxy_conf_dir }}/squid.conf:/etc/squid/squid.conf:z" - "{{ proxy_cache_dir }}:/var/spool/squid:z" - /var/log/squid:/var/log/squid:z - register: squid_init - failed_when: false - -- name: Wait for cache initialization - pause: - seconds: 3 - when: squid_init.changed - -- name: Run squid proxy container - containers.podman.podman_container: - name: squid-proxy - image: "{{ proxy_container_image }}" state: started - restart_policy: always - network_mode: host - volumes: - - "{{ proxy_conf_dir }}/squid.conf:/etc/squid/squid.conf:z" - - "{{ proxy_cache_dir }}:/var/spool/squid:z" - - /var/log/squid:/var/log/squid:z - name: Open firewall port for proxy firewalld: diff --git a/ansible/vars/all.sample.yml b/ansible/vars/all.sample.yml index 04df6566..6ba32bd6 100644 --- a/ansible/vars/all.sample.yml +++ b/ansible/vars/all.sample.yml @@ -77,10 +77,6 @@ use_bastion_registry: false # When enabled, cluster nodes use the proxy to reach quay.io, registry.redhat.io, etc. setup_bastion_proxy: false -# Proxy settings (defaults provided, override as needed) -# proxy_port: 3128 -# proxy_cache_size_mb: 10000 - # Reset iDRAC service using badfish container (pulls and uses badfish container # to clear job queue and reset iDRAC service) # reset_idrac: false