Proxy Configuration - gpillon/k4all GitHub Wiki

Overview

  • What it does: Applies system-wide proxy for services managed by systemd (e.g., kubelet, crio, NetworkManager) via DefaultEnvironment in systemd manager config.
  • Where it’s configured: JSON config at /etc/k4all-config.json (key: .proxy).
  • How it’s applied: scripts/setup-proxy.sh writes to /etc/systemd/system.conf.d/proxy.conf, ensures [Manager], upserts DefaultEnvironment=..., reloads systemd, restarts key services.

Configuration schema

Place in your configuration file (e.g. /etc/k4all-config.json or the file you pass to the validator):

{
  "proxy": {
    "http_proxy": "http://proxy.example.com:3128",
    "https_proxy": "http://proxy.example.com:3128",
    "no_proxy": "127.0.0.1,localhost,.svc,.cluster.local,10.96.0.0/12,10.244.0.0/16"
  }
}
  • http_proxy/https_proxy: URL (optionally with auth), e.g. http://user:pass@proxy:3128
  • no_proxy: Comma-separated list (no spaces), supports domains like .example.com and CIDRs.

Validation

Use the built-in validator before applying:

bash /root/fcos-k8s/install-scripts/validate_config.sh /etc/k4all-config.json
  • Ensures .proxy exists and that .proxy.http_proxy, .proxy.https_proxy, .proxy.no_proxy are present and strings.

Note: installer does it for you..

How the setup applies proxy

Script: scripts/setup-proxy.sh

  • Reads values from K4ALL_CONFIG_FILE (set in scripts/k4all-utils to /etc/k4all-config.json).
  • Ensures file /etc/systemd/system.conf.d/proxy.conf exists with [Manager].
  • Upserts lines:
    • DefaultEnvironment="HTTP_PROXY=..."
    • DefaultEnvironment="HTTPS_PROXY=..."
    • DefaultEnvironment="NO_PROXY=..."
    • Also writes lowercase variants for wider CLI compatibility:
      • DefaultEnvironment="http_proxy=..."
      • DefaultEnvironment="https_proxy=..."
      • DefaultEnvironment="no_proxy=..."
  • If a value is empty/missing, the corresponding DefaultEnvironment="VAR=..." line is removed.
  • Reloads and restarts:
    • systemctl daemon-reload
    • systemctl restart systemd-resolved
    • systemctl restart NetworkManager
  • Idempotent; a sentinel file /opt/k4all/setup-proxy.done prevents re-running automatically.

Examples

Full proxy

"proxy": {
  "http_proxy": "http://proxy.corp.local:3128",
  "https_proxy": "http://proxy.corp.local:3128",
  "no_proxy": "127.0.0.1,localhost,.svc,.cluster.local,10.0.0.0/8"
}

Proxy with credentials

"proxy": {
  "http_proxy": "http://user:[email protected]:3128",
  "https_proxy": "http://user:[email protected]:3128",
  "no_proxy": "127.0.0.1,localhost,.corp.local"
}

Clear/unset proxy

"proxy": {
  "http_proxy": "",
  "https_proxy": "",
  "no_proxy": ""
}

Empty values remove the corresponding DefaultEnvironment lines.

Apply (manually)

If you need to force re-apply:

sudo rm -f /opt/k4all/setup-proxy.done
sudo bash /root/fcos-k8s/scripts/setup-proxy.sh

Verification

  • Check systemd manager config file:
sudo sed -n '1,120p' /etc/systemd/system.conf.d/proxy.conf
  • Check a service’s effective environment (example: kubelet):
systemctl show kubelet -p Environment
  • Quick curl test (should route via proxy):
curl -I https://www.google.com

Troubleshooting

  • Lines not in proxy.conf: Ensure config has non-empty .proxy.* values; re-run setup.
  • Service not honoring proxy:
    • Inspect per-unit overrides in /etc/systemd/system/<unit>.d/*.conf that may override environment.
    • Check with systemctl show <unit> -p Environment.
  • Name resolution issues through proxy: Adjust no_proxy to include cluster/service domains (e.g., .svc,.cluster.local) and internal CIDRs.
  • Re-apply after edits: Remove /opt/k4all/setup-proxy.done and re-run the setup script.
  • Invalid JSON or missing keys: Run the validator to get clear messages.

Security notes

  • If using credentials in proxy URLs, prefer least-privilege accounts and avoid committing secrets to version control.
  • Consider using a secret manager or environment injection mechanism if extending beyond system-wide proxy.
⚠️ **GitHub.com Fallback** ⚠️