If you are more comfortable with video content type, I have created one for you. It is available on Youtube.
The source code and templates are available in this Github repository: https://github.com/HoussemDellai/docker-kubernetes-course/tree/main/67_egress_proxy
openssl genrsa -out cert.key 2048
# (Specify the mitm domain as Common Name, e.g. \*.google.com or for all: *)
openssl req -new -x509 -key cert.key -out mitmproxy-ca-cert.pem
cat cert.key mitmproxy-ca-cert.pem > mitmproxy-ca.pem
openssl pkcs12 -export -inkey cert.key -in mitmproxy-ca-cert.pem -out mitmproxy-ca-cert.p12
cat mitmproxy-ca-cert.pem | base64 -w0
# sample output
# LS0tLS1CRUdJTiB........0VSVElGSUNBVEUtLS0tLQo=
#!/bin/bash
# 1. install MITM proxy from official package
wget https://downloads.mitmproxy.org/10.2.4/mitmproxy-10.2.4-linux-x86_64.tar.gz
tar -xvf mitmproxy-10.2.4-linux-x86_64.tar.gz
# [Other option] install MITM proxy using Python pip
# sudo apt install python3-pip -y
# pip3 install mitmproxy
# sudo apt install wget -y # install if not installed
# MITM proxy can create a certificate for us on starting, but we will use our own certificate
# 2. download the certificate files
wget 'https://raw.githubusercontent.com/HoussemDellai/docker-kubernetes-course/main/_egress_proxy/certificate/mitmproxy-ca-cert.pem'
wget 'https://raw.githubusercontent.com/HoussemDellai/docker-kubernetes-course/main/_egress_proxy/certificate/mitmproxy-ca.pem'
wget 'https://raw.githubusercontent.com/HoussemDellai/docker-kubernetes-course/main/_egress_proxy/certificate/mitmproxy-ca-cert.p12'
# 3. start MITM proxy with the certificate and expose the web interface
./mitmweb --listen-port 8080 --web-host 0.0.0.0 --web-port 8081 --set block_global=false --certs *=./mitmproxy-ca.pem --set confdir=./
{
"httpProxy": "http://20.73.245.90:8080/",
"httpsProxy": "https://20.73.245.90:8080/",
"noProxy": [ "localhost", "127.0.0.1", "docker.io", "docker.com" ],
"trustedCA": "LS0tLS1CRUdJTiBD..........Q0VSVElGSUNBVEUtLS0tLQo="
}
terraform init
terraform plan -out tfplan
terraform apply tfplan
kubectl run nginx --image=nginx
kubectl exec -it nginx -- env
# http_proxy=http://10.0.0.4:8080/
# HTTP_PROXY=http://10.0.0.4:8080/
# https_proxy=https://10.0.0.4:8080/
# HTTPS_PROXY=https://10.0.0.4:8080/
# no_proxy=localhost,aks-8v0n0swv.hcp.westeurope.azmk8s.io,10.10.0.0/24,10.0.0.0/16,169.254.169.254,docker.com,127.0.0.1,docker.io,konnectivity,10.10.0.0/16,168.63.129.16
# NO_PROXY=localhost,aks-8v0n0swv.hcp.westeurope.azmk8s.io,10.10.0.0/24,10.0.0.0/16,169.254.169.254,docker.com,127.0.0.1,docker.io,konnectivity,10.10.0.0/16,168.63.129.16
kubectl exec -it nginx -- 'curl ifconf.me'
# 20.134.24.9 # this is VM's public IP used by Proxy
kubectl get nodes
# NAME STATUS ROLES AGE VERSION
# aks-systempool-48300357-vmss000000 Ready <none> 11m v1.29.0
# aks-systempool-48300357-vmss000001 Ready <none> 11m v1.29.0
# aks-systempool-48300357-vmss000002 Ready <none> 11m v1.29.0
kubectl debug node/aks-systempool-48300357-vmss000000 -it --image=ubuntu
root@aks-systempool-48300357-vmss000000:/# chroot /host
env
# http_proxy=http://10.0.0.4:8080/
# HTTP_PROXY=http://10.0.0.4:8080/
# https_proxy=https://10.0.0.4:8080/
# HTTPS_PROXY=https://10.0.0.4:8080/
# no_proxy=localhost,aks-8v0n0swv.hcp.westeurope.azmk8s.io,10.10.0.0/24,10.0.0.0/16,169.254.169.254,docker.com,127.0.0.1,docker.io,konnectivity,10.10.0.0/16,168.63.129.16
# NO_PROXY=localhost,aks-8v0n0swv.hcp.westeurope.azmk8s.io,10.10.0.0/24,10.0.0.0/16,169.254.169.254,docker.com,127.0.0.1,docker.io,konnectivity,10.10.0.0/16,168.63.129.16
# ... removed for brievety
apiVersion: v1
kind: Pod
metadata:
name: nginx-noproxy
annotations:
"kubernetes.azure.com/no-http-proxy-vars": "true"
spec:
containers:
- image: nginx
name: nginx
kubectl apply -f noproxy-pod.yaml
kubectl exec -it nginx-noproxy -- env
# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# HOSTNAME=nginx-noproxy
# NGINX_VERSION=1.25.4
# NJS_VERSION=0.8.3
# PKG_RELEASE=1~bookworm
# KUBERNETES_PORT=tcp://10.0.0.1:443
# KUBERNETES_PORT_443_TCP=tcp://10.0.0.1:443
# KUBERNETES_PORT_443_TCP_PROTO=tcp
# KUBERNETES_PORT_443_TCP_PORT=443
# KUBERNETES_PORT_443_TCP_ADDR=10.0.0.1
# KUBERNETES_SERVICE_HOST=10.0.0.1
# KUBERNETES_SERVICE_PORT=443
# KUBERNETES_SERVICE_PORT_HTTPS=443
# TERM=xterm
# HOME=/root
kubectl exec -it nginx-noproxy -- curl ifconf.me
# 4.245.123.106 # this is cluster LB
az aks update -n aks -g rg-aks --http-proxy-config aks-proxy-config.json
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.