Overview
The OpenShift Python Wrapper supports proxy configuration, allowing you to route all cluster communication through an HTTP or HTTPS proxy server. This is essential for environments with restricted network access or corporate proxy requirements.
Quick Start
Enable proxy configuration by setting environment variables:
# For HTTPS proxy
export HTTPS_PROXY="http://proxy.example.com:8080"
# OR for HTTP proxy
export HTTP_PROXY="http://proxy.example.com:8080"
# Run your script
python my_script.py
The wrapper automatically detects and uses proxy settings from HTTPS_PROXY or HTTP_PROXY environment variables. No code changes are required.
Configuration Methods
HTTPS Proxy
For secure connections (recommended):
export HTTPS_PROXY="http://proxy.example.com:8080"
HTTP Proxy
For non-secure connections:
export HTTP_PROXY="http://proxy.example.com:8080"
Proxy Priority
If both are set, HTTPS_PROXY takes precedence:
# HTTPS_PROXY will be used
export HTTPS_PROXY="http://secure-proxy.example.com:8443"
export HTTP_PROXY="http://proxy.example.com:8080"
http://[username:password@]host:port
Without Authentication
export HTTPS_PROXY="http://proxy.example.com:8080"
With Authentication
With Special Characters
URL-encode special characters in credentials:
# If password is "p@ssw0rd!", encode it as "p%40ssw0rd%21"
export HTTPS_PROXY="http://user:p%40ssw0rd%[email protected]:8080"
Use Python’s urllib.parse.quote() to encode credentials with special characters:import urllib.parse
password = "p@ssw0rd!"
encoded = urllib.parse.quote(password)
print(f"http://user:{encoded}@proxy.example.com:8080")
No Proxy Configuration
Exclude specific hosts from proxying:
# Single host
export NO_PROXY="localhost"
# Multiple hosts
export NO_PROXY="localhost,127.0.0.1,.internal.example.com"
# With proxy
export HTTPS_PROXY="http://proxy.example.com:8080"
export NO_PROXY="localhost,127.0.0.1,10.0.0.0/8,.cluster.local"
The NO_PROXY variable accepts comma-separated values:
- Hostnames:
localhost, example.com
- IP addresses:
127.0.0.1, 192.168.1.1
- CIDR notation:
10.0.0.0/8, 172.16.0.0/12
- Domain suffixes:
.internal.example.com (matches all subdomains)
Usage Examples
Basic Usage
Set proxy and use the wrapper normally:
# Set proxy
export HTTPS_PROXY="http://proxy.example.com:8080"
from ocp_resources.pod import Pod
from ocp_resources.resource import get_client
# Proxy is automatically used
client = get_client()
pod = Pod(
client=client,
name="nginx-pod",
namespace="default",
containers=[{"name": "nginx", "image": "nginx:latest"}]
)
pod.deploy()
# All API calls go through the proxy
for pod in Pod.get(client=client, namespace="default"):
print(f"Pod: {pod.name}")
With Authentication
# Set authenticated proxy
export HTTPS_PROXY="http://myuser:[email protected]:8080"
export NO_PROXY="localhost,127.0.0.1"
from ocp_resources.deployment import Deployment
from ocp_resources.resource import get_client
client = get_client()
deployment = Deployment(
client=client,
name="myapp",
namespace="production",
replicas=3,
selector={"matchLabels": {"app": "myapp"}},
template={
"metadata": {"labels": {"app": "myapp"}},
"spec": {
"containers": [{"name": "app", "image": "myapp:v1.0"}]
}
}
)
deployment.deploy()
deployment.wait_for_replicas(deployed=True, timeout=240)
Multiple Clusters with Different Proxies
import os
from ocp_resources.namespace import Namespace
from ocp_resources.resource import get_client
# Cluster 1 with proxy A
os.environ['HTTPS_PROXY'] = 'http://proxy-a.example.com:8080'
client_a = get_client(config_file='/path/to/kubeconfig-a')
ns_a = Namespace(client=client_a, name="namespace-a")
ns_a.deploy()
# Cluster 2 with proxy B
os.environ['HTTPS_PROXY'] = 'http://proxy-b.example.com:8080'
client_b = get_client(config_file='/path/to/kubeconfig-b')
ns_b = Namespace(client=client_b, name="namespace-b")
ns_b.deploy()
Corporate Proxy Setup
Windows Environment
REM Set proxy in Command Prompt
set HTTPS_PROXY=http://proxy.corp.example.com:8080
set NO_PROXY=localhost,127.0.0.1,.corp.example.com
REM Run Python script
python my_script.py
# Set proxy in PowerShell
$env:HTTPS_PROXY = "http://proxy.corp.example.com:8080"
$env:NO_PROXY = "localhost,127.0.0.1,.corp.example.com"
# Run Python script
python my_script.py
Linux/Mac Environment
# Add to ~/.bashrc or ~/.zshrc for persistence
export HTTPS_PROXY="http://proxy.corp.example.com:8080"
export NO_PROXY="localhost,127.0.0.1,.corp.example.com"
# Source the file
source ~/.bashrc
# Run script
python my_script.py
Docker Container
Pass proxy settings to containers:
docker run -it \
-e HTTPS_PROXY="http://proxy.example.com:8080" \
-e NO_PROXY="localhost,127.0.0.1" \
-v $(pwd):/workspace \
python:3.11 \
python /workspace/my_script.py
Kubernetes Pod
Configure proxy in pod environment:
apiVersion: v1
kind: Pod
metadata:
name: wrapper-pod
spec:
containers:
- name: python
image: python:3.11
env:
- name: HTTPS_PROXY
value: "http://proxy.example.com:8080"
- name: NO_PROXY
value: "localhost,127.0.0.1,.cluster.local"
command: ["python", "/app/script.py"]
Verification
Check Proxy Configuration
Verify proxy settings are detected:
import os
print(f"HTTPS_PROXY: {os.environ.get('HTTPS_PROXY', 'Not set')}")
print(f"HTTP_PROXY: {os.environ.get('HTTP_PROXY', 'Not set')}")
print(f"NO_PROXY: {os.environ.get('NO_PROXY', 'Not set')}")
Test Proxy Connection
Test if the proxy is working:
from ocp_resources.namespace import Namespace
from ocp_resources.resource import get_client
try:
client = get_client()
# Simple operation to test connectivity
namespaces = list(Namespace.get(client=client))
print(f"Successfully connected through proxy. Found {len(namespaces)} namespaces.")
except Exception as e:
print(f"Proxy connection failed: {e}")
Troubleshooting
Proxy Connection Refused
-
Verify proxy URL is correct:
echo $HTTPS_PROXY
curl -x $HTTPS_PROXY https://www.google.com
-
Check if proxy requires authentication:
# Test with credentials
curl -x http://user:[email protected]:8080 https://www.google.com
-
Verify firewall rules allow proxy connection
-
Check proxy server logs for connection attempts
Certificate Verification Errors
If using a corporate proxy with SSL inspection, you may encounter certificate errors.
import os
import urllib3
# Disable SSL warnings (testing only!)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
from ocp_resources.resource import get_client
# This is NOT recommended for production
client = get_client()
# Set CA certificate bundle
export REQUESTS_CA_BUNDLE=/path/to/corporate-ca-bundle.crt
export HTTPS_PROXY="http://proxy.example.com:8080"
python my_script.py
Proxy Authentication Failures
If authentication fails:
- Verify credentials are correct
- Check if special characters need URL encoding
- Test credentials with curl:
Requests Not Using Proxy
If requests aren’t going through proxy:
-
Verify environment variables are set:
import os
print(os.environ.get('HTTPS_PROXY'))
-
Check NO_PROXY isn’t excluding your cluster:
print(os.environ.get('NO_PROXY'))
-
Ensure variables are set before importing wrapper:
import os
os.environ['HTTPS_PROXY'] = 'http://proxy.example.com:8080'
# Import after setting environment
from ocp_resources.resource import get_client
Security Considerations
- Avoid Hardcoding Credentials: Never hardcode proxy credentials in scripts
- Use Environment Variables: Store credentials in environment variables
- Secure Credential Storage: Use secrets management for production
- HTTPS Proxy: Prefer HTTPS proxies for encrypted traffic
- Audit Logging: Enable proxy logging for security audits
- Least Privilege: Use proxy accounts with minimum required permissions
Best Practices
- Set Globally: Configure proxy environment variables at the system level
- Use NO_PROXY: Exclude internal traffic from proxying
- Test Connectivity: Always test proxy configuration before deployment
- Document Settings: Document proxy requirements for your environment
- Monitor Traffic: Monitor proxy logs for connection issues
- Use Authentication: Secure proxies with authentication
- Handle Errors: Add proper error handling for proxy failures
Complete Example
Here’s a complete script with proxy configuration:
#!/usr/bin/env python3
"""
Example script demonstrating proxy configuration
"""
import os
import sys
from ocp_resources.deployment import Deployment
from ocp_resources.resource import get_client
def main():
# Verify proxy configuration
proxy = os.environ.get('HTTPS_PROXY') or os.environ.get('HTTP_PROXY')
if not proxy:
print("Warning: No proxy configured")
print("Set HTTPS_PROXY or HTTP_PROXY environment variable")
response = input("Continue anyway? (y/n): ")
if response.lower() != 'y':
sys.exit(1)
else:
print(f"Using proxy: {proxy}")
# Get client (uses proxy automatically)
try:
client = get_client()
print("Successfully connected to cluster through proxy")
except Exception as e:
print(f"Failed to connect: {e}")
sys.exit(1)
# Create deployment
deployment = Deployment(
client=client,
name="myapp",
namespace="default",
replicas=3,
selector={"matchLabels": {"app": "myapp"}},
template={
"metadata": {"labels": {"app": "myapp"}},
"spec": {
"containers": [{"name": "app", "image": "nginx:latest"}]
}
}
)
deployment.deploy()
print(f"Deployment {deployment.name} created through proxy")
deployment.wait_for_replicas(deployed=True, timeout=240)
print(f"Deployment ready with {deployment.instance.status.availableReplicas} replicas")
if __name__ == "__main__":
main()
export HTTPS_PROXY="http://proxy.example.com:8080"
export NO_PROXY="localhost,127.0.0.1"
python script.py
