Document or support running in environments with TLS intercepting proxies

[randomvariable]

/kind feature

Describe the solution you'd like As a result of triaging on an issue in Slack by @ashish-amarnath, it was found a user could not run the AWS provider because the network they were running in used TLS intercepting transparent proxies.

This is fairly common in enterprise environments, up to and including the target AWS infrastructure.

We should either document image customisation in these scenarios, and/or provide a mechanism to inject a CA Certificate into the certificate bundle that will be used to make AWS API requests.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

• Cluster-api-provider-aws version: v1.0.0-alpha.4
• Kubernetes version: (use kubectl version):
• OS (e.g. from /etc/os-release):

[randomvariable]

/priority important-longterm

[vincepri]

/milestone Next

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[detiber]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[randomvariable]

/remove-lifecycle stale /lifecycle frozen

[randomvariable]

/help

[k8s-ci-robot]

@randomvariable: This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[randomvariable]

/priority backlog /triage accepted

[richardcase]

/remove-lifecycle frozen

[dlipovetsky]

a mechanism to inject a CA Certificate into the certificate bundle that will be used to make AWS API requests.

This is the mechanism we need in order to use CAPA in AWS environments, like GovCloud, where AWS SSM (or other AWS services) use a custom, i.e. user-defined, CA.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[richardcase]

/remove-lifecycle stale

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted