Using mutatingwebhook to set pod environment

With RedHat Advance Cluster Management 2.1/2.2 it is possible to provision OpenShift clusters through an http proxy by using mutatingwebhook to update the proxy settings in the provisioning jobs.

One way to accomplish this is to deploy the podpreset webhook controller (https://www.openshift.com/blog/a-podpreset-based-webhook-admission-controller). It will be assumed that you have configured cluster-wide http proxy in the OpenShift cluster already.

STEP 1: Follow the 6 steps listed in the blog post, to deploy the webhook controller.

STEP 2: Then define the following podpreset configuration.

apiVersion: redhatcop.redhat.io/v1alpha1
kind: PodPreset
metadata:
name: hive-job-provision
spec:
env:
- name: HTTP_PROXY
value: "http://[fd2e:6f44:51d8::134]:3128"
- name: HTTPS_PROXY
value: "http://[fd2e:6f44:51d8::134]:3128"
- name: NO_PROXY
value: ".cluster.local,.test.example.com,.svc,127.0.0.1,api-int.test.example.com,etcd-0.test.example.com,etcd-1.test.example.com,etcd-2.test.example.com,fd00:1201::/64,fd01::/48,fd02::/112,fd2e:6f44:51d8::/64,localhost"
selector:
matchLabels:
hive.openshift.io/job-type: provision

The proxy settings you can get by querying your cluster proxy configurations. For example, oc get proxy cluster -n openshift-config -o yaml .

Notice that we are matching the pod label hive.openshift.io/job-type: provision . This should select for only the hive provisioning jobs. A second podpreset is needed for deprovision as well.

With this in place, you will be able to reach public cloud providers through the http proxy server, and provision a cluster.

NOTE: These steps create a network path from the hub and cloud provider (and eventually the spoke), through the http proxy server. In order to have the provisioned cluster imported into RHACM, post provision, a network path has to be establish in the opposite direction. I leave this up to the reader.

technology, engineering