Installing Cloud Pak for Security through a proxy
Describes a workaround for installing CP4S through a proxy
Author(s): László Czap | Created: 22 June 2020 | Last modified: 22 June 2020
Tested on: Cloud Pak for Security 1.3.0
Installing Cloud Pak for Security through a proxy
When installing (IBM Entitled Registry version) CP4S v1.3.0 on OCP 4.3.24 through a proxy there are pods that need to download installation packages from inside the pod. This means that they do not rely on Openshift to get a running image, and they are obviously not aware of the proxy configuration of the Openshift layer. Actually, I think it is not a good practice to download installation stuff from inside a pod, but of course I don't see whether there is a good reason to do it like this.
Anyway, there are two places where the install stucks due to this issue. First, there is a job with name isc-openwhisk-openwhisk-install-packages which eventually fails due to unsuccessful trials. This job must be recreated with the environment variables that set your proxy. Here is an example snippet of the config:
env:
- name: HTTP_PROXY
value: '10.109.10.254:3128'
- name: HTTPS_PROXY
value: '10.109.10.254:3128'
- name: NO_PROXY
value: isc-openwhisk-openwhisk-controllerHere the NO_PROXY part is also important. So, the workaround is to copy the original .yaml of the job, create a new job with the same config, but with the proxy variables added. Here is a working example of the file. Running the job will recreate the failing pods.
After this, there is yet another component in the pod, which needs its own proxy config: the npm installer. Here, you need to run the npm set proxy <proxy_address> command. The simplest for us was to get a pod terminal and simply run this command there. This is of course lives only for the life-time of the pod, but this was simple and good enough, because it is a one-time run during the install. So, find the pod with name isc-openwhisk-openwhisk-install-packages-xxxxx and run the above inside its terminal.
Just one more remark: after installation it turns out that the current version of the TII application does not work through a proxy, and I am not aware of a viable workaround for this issue.