Update proxy server settings and certificates
Applies to: AKS on Azure Stack HCI 22H2, AKS on Windows Server
This article describes how to update proxy settings and certificates for your deployment in AKS enabled by Azure Arc. Each AKS deployment has a single global proxy configuration. You can add exclusions using the noProxy parameter to exclude private subnets (for example, contoso.com) from using the proxy server, and you can update proxy certificates for the deployment. You can't change HTTP or HTTPS settings.
For information about the initial proxy server setup, see Use proxy server settings in AKS Arc.
Proxy settings you can update
Before you begin, review current limitations to proxy setting updates you can perform in AKS enabled by Arc:
- AKS enabled by Arc supports one global proxy configuration per AKS Arc deployment. When you update the proxy settings, they're updated for the entire AKS Arc deployment.
- You can only update
noProxysettings, which are used to exclude a private subnet from using the proxy server, and proxy certificates. HTTP and HTTPs proxy settings can't be updated. - You can't configure different proxy settings for a specific node pool or workload cluster. Similarly, you can't update proxy settings for a specific node pool or workload cluster.
- Updates to proxy settings are only applied after you update your entire AKS deployment. You must update the AKS host management cluster and all AKS workload clusters. To check whether an update is available, use the AKS PowerShell module cmdlet Get-AksHciClusterUpdates.
Prerequisites
Before you update proxy settings for an AKS deployment, you must meet the following prerequisites:
- Your AKS deployment is running the October 2022 update or later.
- The most recent version of the AksHci PowerShell module is installed. For more information, see Install the AksHci PowerShell module.
- At least one update is available for your AKS deployment. Updates to proxy settings and certificates are applied automatically after updates are applied to an AKS deployment. To check for available updates, run the
Get-AksHciClusterUpdatescommand in the AksHci PowerShell module.
Step 1: Create a new noProxy exclusion list
You might occasionally need to update noProxy settings to exclude a private subnet from using the proxy server for your AKS deployment. To prepare to update the noProxy settings, store a new exclusion list in a PowerShell variable.
Before you update your
noProxysettings, review the requirednoProxysettings in the proxy exclusion table. For more information, see Exclusion list for excluding private subnets from being sent to the proxy.Certain exclusions are required for your AKS deployment to function. Not excluding these URLs can cause failures in your AKS deployment.
Store your updated
noProxyURL list in a PowerShell variable:$noProxy = "localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.contoso.com"
Step 2: Create a proxy certificate bundle
To update certificates for your proxy server, create a new certificate bundle and then store the path to the file in a PowerShell variable. Bundle the certificates in a single .crt file in PEM format. This format is applicable for updating certificates on Linux container hosts.
To bundle your updated proxy server certificates:
Create a single .crt file with the bundled certificates for Linux hosts. Use the
concatenate(cat) command with the following format:cat [leaf].crt [intermediate].crt [Root].crt > [bundle].crtYou must concatenate the certificates in the order of: leaf certificate > intermediate certificate > root certificate. For detailed certificate requirements and an example, see Update certificate bundle for your AKS deployment.
Note
The contents of the certificate file aren't validated. Check carefully to ensure the file contains the right certificates and is in the correct format.
Store the path to your updated certificate bundle in a PowerShell variable:
$certFile ="/../[certificate-bundle].crt" # path to the bundled .crt file
Step 3: Update proxy settings
The next step is to use the Set-AksHciProxySetting command to update your noProxy settings and certificates.
Before you update the proxy settings and certificates, confirm that your PowerShell variables have the right changes:
echo $noProxy echo $certFileTo update both your proxy settings and proxy certificates, run the following command:
Set-AksHciProxySetting -noProxy $noProxy -certFile $certFile
Step 4: Apply updated proxy settings to your AKS deployment
The updates to your global proxy settings and certificate are applied automatically after you update the AKS deployment.
To apply the proxy updates:
Check whether an update is available for your AKS host management cluster by running the following command:
Get-AksHciUpdatesIf an update is available, update your AKS host management cluster by running the following command. This command applies the proxy changes on your AKS host management cluster:
Update-AksHciUpdate all of the workload clusters in your AKS deployment. Proxy changes won't be applied unless you update your workload clusters.
To check whether workload cluster updates are available, run the following command on each of your AKS workload clusters:
Get-AksHciClusterUpdates -name myclusterIf an update is available (either a Kubernetes version or an updated OS image), update each of your workload clusters by running the
Update-AksHciClustercommand.To update the Kubernetes version and OS version on a workload cluster, run the following command:
Update-AksHciCluster -name myclusterTo update the OS without updating the Kubernetes version, include the
-operatingSystemparameter:Update-AksHciCluster -name mycluster -operatingSystemIf an OS image-only update isn't available for your workload cluster, you won't be able to apply the proxy changes unless you update the Kubernetes version.
Next steps
For more information about networking in AKS enabled by Arc, see Kubernetes networking concepts.