Proxy rename support

MGMT-16796 Added new proxy option that sets the cluster proxy to the desired configuration. Proxy editing with recert is required to avoid rollouts / reboots
rh-ecosystem-edge · Mar 25, 2024 · 05a6437 · 05a6437
1 parent 3a23933
commit 05a6437
Show file tree

Hide file tree

Showing 17 changed files with 1,807 additions and 112 deletions.
diff --git a/build.rs b/build.rs
@@ -21,6 +21,7 @@ fn generate_protobuf_code() -> Result<()> {
 
     prost_build.compile_protos(
         &[
+            "k8s.io/api/batch/v1/generated.proto",
             "k8s.io/api/core/v1/generated.proto",
             "k8s.io/api/admissionregistration/v1/generated.proto",
             "k8s.io/api/apps/v1/generated.proto",

diff --git a/hack/dummy_config.yaml b/hack/dummy_config.yaml
@@ -0,0 +1,100 @@
+dry_run: false
+etcd_endpoint: localhost:2379
+crypto_dirs:
+- backup/etc/kubernetes
+- backup/var/lib/kubelet
+- backup/etc/machine-config-daemon
+crypto_files:
+- backup/etc/mcs-machine-config-content.json
+cluster_customization_dirs:
+- backup/etc/kubernetes
+- backup/var/lib/kubelet
+- backup/etc/machine-config-daemon
+- backup/etc/pki/ca-trust
+cluster_customization_files:
+- backup/etc/mcs-machine-config-content.json
+- backup/etc/mco/proxy.env
+cn_san_replace_rules:
+- api-int.seed.redhat.com:api-int.new-name.foo.com
+- api.seed.redhat.com:api.new-name.foo.com
+- "*.apps.seed.redhat.com:*.apps.new-name.foo.com"
+- 192.168.126.10:192.168.127.11
+use_cert_rules:
+- |
+    -----BEGIN CERTIFICATE-----
+    MIICyzCCAbMCFAoie5EUqnUAHimqxbJBHV0MGVbwMA0GCSqGSIb3DQEBCwUAMCIx
+    IDAeBgNVBAMMF2FkbWluLWt1YmVjb25maWctc2lnbmVyMB4XDTI0MDEwOTEzMTky
+    NVoXDTI0MDIwODEzMTkyNVowIjEgMB4GA1UEAwwXYWRtaW4ta3ViZWNvbmZpZy1z
+    aWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2fz96uc8fDoNV
+    RaBB9iQ+i5Y76IZf0XOdGID8WVaqPlqH+NgLUaFa39T+78FhZW3794Lbeyu/PnYT
+    ufMyKnJEulVO7W7gPHaqWyuN08/m6SH5ycTEgUAXK1q1yVR/vM6HnV/UPUCfbDaW
+    RFOrUgGNwNywhEjqyzyUxJFixxS6Rk7JmouROD2ciNhBn6wNFByVHN9j4nQUOhXC
+    A0JjuiPH7ybvcHjmg3mKDJusyVq4pl0faahOxn0doILfXaHHwRxyEnP3V3arpPer
+    FvwlHh2Cfat+ijFPSD9pN3KmoeAviOHZVLQ/jKzkQvzlvva3mhEpLE5Zje1lMpvq
+    fjDheW9bAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAC7oi/Ht0lidcx6XvOBz6W1m
+    LU02e2yHuDzw6E3WuNoqAdPpleFRV4mLDnv8mEavH5sje0L5veHtOq3Ny4pc06B+
+    ETB2aCW4GQ4mPvN9Jyi6sxLQQaVLpFrtPPB08NawNbbcYWUrAihO1uIXLhaCYZWw
+    H3aWlqRvGECazYZIPcFoV20jygrcwMhixSZjYyHhJN0LYO5sjiKcMnI8EkHuqE17
+    7CPogicZte+m49Mo+f7b8asmKBSafdTUSVAt9Q3Fc3PTJSMW5lxfx1vIR/og33WJ
+    BgIejfD1dYW2Fp02z5sF6Pw6vhobpfDYgsTAKNonh5P6NxMiD14eQxYrNJ6DAF0=
+    -----END CERTIFICATE-----
+cluster_rename: new-name:foo.com:some-random-infra-id
+hostname: test.hostname
+ip: 192.168.126.99
+proxy: http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost,moreproxy
+kubeadmin_password_hash: "$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi"
+additional_trust_bundle: |
+    # Foo
+    -----BEGIN CERTIFICATE-----
+    MIIDZTCCAk2gAwIBAgIUP+AxIkXJXTEhNGLH2qjmE6Gp0fowDQYJKoZIhvcNAQEL
+    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDIyNTlaFw0yNTAzMDEx
+    MDIyNTlaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+    DwAwggEKAoIBAQC0wzg+7X2Amb5g60g0TstLgC0XnJRZq/YZUUsJMmm3qMb/+GYJ
+    AJzHxiycUfbRJtYvjx0SBmAX/kDRVCEQKcN5d/y3zeq709YO40kvouScfstsxM8l
+    PFLOmM8/Dqey1WblSJERBLbLherDnMwR7EMXkyZ/AfHUXmhVoIZE9ywsZpNcVW6Z
+    7x/+Izbj1s305vrxEkZDw6b3oMG5uooQgP5NZFXSamzJgviP0L/usvbRMtAWphoj
+    WhMeNuOdymLwRzm2l+2Qp/JDWktgHccmrbbi1c6pwhsIJBj4KOyb9zROTnYXyS/j
+    0b7GzVcffveV6E58rGa2ILyIsCv6gt8LgFnxAgMBAAGjUzBRMB0GA1UdDgQWBBQ5
+    nh0SeZxZ969ps+9ywPEoOVasxTAfBgNVHSMEGDAWgBQ5nh0SeZxZ969ps+9ywPEo
+    OVasxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWxsqfdm8h
+    AeNY8vPcRdtB9KYU5sZLs4NtlBFSdn+pHmeXZwwkjQDNhVcEMKdpZI4BpS11Ggwh
+    1d3BCCC/5M6yVqm+EMKJvA9VCeM8d1WJ1yVyXcgGuegf8kr3v+lr7Ll59qZGP5Ir
+    WwE8WRns7uFOCqYJCxo1VFXitZZuIugr3NUSimBPoJf1hDYdye3K3Q+grF2GyNII
+    5Yo+/VSR4ejIvJYAFp91Ycep7S0/+qhFpsjEG0Qw3Ly6WqQoCqdmIsyqFgWHsIlY
+    oJxV5wTX/c9DDZLR0VUD19aDV3B9kb7Cf+h7S4RsORWCyi7+58FKkkD6Ryc0I1K6
+    xw3RWhfd9o1d
+    -----END CERTIFICATE-----
+
+
+
+    # All
+    # the Bars
+    -----BEGIN CERTIFICATE-----
+    MIIDZTCCAk2gAwIBAgIULnisjJLte3Vvt4o1f+5vSQg542cwDQYJKoZIhvcNAQEL
+    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
+    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDI1MDFaFw0yNTAzMDEx
+    MDI1MDFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
+    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+    DwAwggEKAoIBAQC2dhK7xTnoTB3wN1l3NsLTp5YR0KFfBTjMcDgSzUy/GN79c2cF
+    JzSuiYUi7SCmFjn3soNqpXHFzCox6KIs9R6PL4epaQM76EVG/Xy6mdDvFnZvqypi
+    wmK6J0AGajOxItYUGb2a3Zmt/2nliW6t8sW/vhovHRu7YROo4uJygIp2UUFct2Lk
+    8C7XkJX5RXW+sKTiNddIjhmDFD0vHfvNvQ6AIayJTmXy272+aqYNJWB2wS/2uD3Z
+    +WOpiINetCtkASoiE7nzBQw+WsTfeFJH2TnI5pnSaHdLRUQtzoLO0/FgQ5WBfJg5
+    aH03DLfQ9GEdzlsOkPOEgHXqDFMjTQCwcue3AgMBAAGjUzBRMB0GA1UdDgQWBBRd
+    0Zs+cm0gPHGKoQrerC18Pa3B3zAfBgNVHSMEGDAWgBRd0Zs+cm0gPHGKoQrerC18
+    Pa3B3zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAepPrWqB9h
+    JkqtgJrP8SkQVulTVKYj66J5JxM5vZR96Z4UnbA3WNxezev0jMCYuV0twHPN8avs
+    Jern+/n7vgQ3ziiLVdtrN8PqK1X1apSurVmaiIw4tRcv5TVL5OD95sTyJh5bUBpM
+    DGtCTraPZxLIDKm9byunobXtJVcutw4oHKtFy/LlFWePCnvFzvx6ZFswLAXgxhf9
+    EtjDf3v0cjDn9yRzjYFrwHiQ53A75YTwFyk21q7Gh1G0yspfBeq7cej2wK1PnfiC
+    42TI0UzcqRV4CWDoARMSV8yMLajZ0g1eEreUprwmFcOy17V7KCeV6E8lKb21OU8M
+    Ad9q3H0iXjct
+    -----END CERTIFICATE-----
+summary_file: summary.yaml
+summary_file_clean: summary_redacted.yaml
+extend_expiration: true
+force_expire: false
+pull_secret: '{"auths":{"empty_registry":{"username":"empty","password":"empty","auth":"ZW1wdHk6ZW1wdHk=","email":""}}}'
+threads: 1
diff --git a/run_seed.sh b/run_seed.sh
@@ -67,106 +67,7 @@ sudo unshare --mount -- bash -c "mount --bind /dev/null .cargo/config.toml && su
 if [[ -n "$WITH_CONFIG" ]]; then
 	echo "Using config"
 	# shellcheck disable=2016
-	RECERT_CONFIG=<(echo '
-dry_run: false
-etcd_endpoint: localhost:2379
-crypto_dirs:
-- backup/etc/kubernetes
-- backup/var/lib/kubelet
-- backup/etc/machine-config-daemon
-crypto_files:
-- backup/etc/mcs-machine-config-content.json
-cluster_customization_dirs:
-- backup/etc/kubernetes
-- backup/var/lib/kubelet
-- backup/etc/machine-config-daemon
-- backup/etc/pki/ca-trust
-cluster_customization_files:
-- backup/etc/mcs-machine-config-content.json
-cn_san_replace_rules:
-- api-int.seed.redhat.com:api-int.new-name.foo.com
-- api.seed.redhat.com:api.new-name.foo.com
-- "*.apps.seed.redhat.com:*.apps.new-name.foo.com"
-- 192.168.126.10:192.168.127.11
-use_cert_rules:
-- |
-    -----BEGIN CERTIFICATE-----
-    MIICyzCCAbMCFAoie5EUqnUAHimqxbJBHV0MGVbwMA0GCSqGSIb3DQEBCwUAMCIx
-    IDAeBgNVBAMMF2FkbWluLWt1YmVjb25maWctc2lnbmVyMB4XDTI0MDEwOTEzMTky
-    NVoXDTI0MDIwODEzMTkyNVowIjEgMB4GA1UEAwwXYWRtaW4ta3ViZWNvbmZpZy1z
-    aWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2fz96uc8fDoNV
-    RaBB9iQ+i5Y76IZf0XOdGID8WVaqPlqH+NgLUaFa39T+78FhZW3794Lbeyu/PnYT
-    ufMyKnJEulVO7W7gPHaqWyuN08/m6SH5ycTEgUAXK1q1yVR/vM6HnV/UPUCfbDaW
-    RFOrUgGNwNywhEjqyzyUxJFixxS6Rk7JmouROD2ciNhBn6wNFByVHN9j4nQUOhXC
-    A0JjuiPH7ybvcHjmg3mKDJusyVq4pl0faahOxn0doILfXaHHwRxyEnP3V3arpPer
-    FvwlHh2Cfat+ijFPSD9pN3KmoeAviOHZVLQ/jKzkQvzlvva3mhEpLE5Zje1lMpvq
-    fjDheW9bAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAC7oi/Ht0lidcx6XvOBz6W1m
-    LU02e2yHuDzw6E3WuNoqAdPpleFRV4mLDnv8mEavH5sje0L5veHtOq3Ny4pc06B+
-    ETB2aCW4GQ4mPvN9Jyi6sxLQQaVLpFrtPPB08NawNbbcYWUrAihO1uIXLhaCYZWw
-    H3aWlqRvGECazYZIPcFoV20jygrcwMhixSZjYyHhJN0LYO5sjiKcMnI8EkHuqE17
-    7CPogicZte+m49Mo+f7b8asmKBSafdTUSVAt9Q3Fc3PTJSMW5lxfx1vIR/og33WJ
-    BgIejfD1dYW2Fp02z5sF6Pw6vhobpfDYgsTAKNonh5P6NxMiD14eQxYrNJ6DAF0=
-    -----END CERTIFICATE-----
-cluster_rename: new-name:foo.com:some-random-infra-id
-hostname: test.hostname
-ip: 192.168.126.99
-kubeadmin_password_hash: "$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi"
-additional_trust_bundle: |
-    # Foo
-    -----BEGIN CERTIFICATE-----
-    MIIDZTCCAk2gAwIBAgIUP+AxIkXJXTEhNGLH2qjmE6Gp0fowDQYJKoZIhvcNAQEL
-    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
-    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDIyNTlaFw0yNTAzMDEx
-    MDIyNTlaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
-    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-    DwAwggEKAoIBAQC0wzg+7X2Amb5g60g0TstLgC0XnJRZq/YZUUsJMmm3qMb/+GYJ
-    AJzHxiycUfbRJtYvjx0SBmAX/kDRVCEQKcN5d/y3zeq709YO40kvouScfstsxM8l
-    PFLOmM8/Dqey1WblSJERBLbLherDnMwR7EMXkyZ/AfHUXmhVoIZE9ywsZpNcVW6Z
-    7x/+Izbj1s305vrxEkZDw6b3oMG5uooQgP5NZFXSamzJgviP0L/usvbRMtAWphoj
-    WhMeNuOdymLwRzm2l+2Qp/JDWktgHccmrbbi1c6pwhsIJBj4KOyb9zROTnYXyS/j
-    0b7GzVcffveV6E58rGa2ILyIsCv6gt8LgFnxAgMBAAGjUzBRMB0GA1UdDgQWBBQ5
-    nh0SeZxZ969ps+9ywPEoOVasxTAfBgNVHSMEGDAWgBQ5nh0SeZxZ969ps+9ywPEo
-    OVasxTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAWxsqfdm8h
-    AeNY8vPcRdtB9KYU5sZLs4NtlBFSdn+pHmeXZwwkjQDNhVcEMKdpZI4BpS11Ggwh
-    1d3BCCC/5M6yVqm+EMKJvA9VCeM8d1WJ1yVyXcgGuegf8kr3v+lr7Ll59qZGP5Ir
-    WwE8WRns7uFOCqYJCxo1VFXitZZuIugr3NUSimBPoJf1hDYdye3K3Q+grF2GyNII
-    5Yo+/VSR4ejIvJYAFp91Ycep7S0/+qhFpsjEG0Qw3Ly6WqQoCqdmIsyqFgWHsIlY
-    oJxV5wTX/c9DDZLR0VUD19aDV3B9kb7Cf+h7S4RsORWCyi7+58FKkkD6Ryc0I1K6
-    xw3RWhfd9o1d
-    -----END CERTIFICATE-----
-
-
-
-    # All
-    # the Bars
-    -----BEGIN CERTIFICATE-----
-    MIIDZTCCAk2gAwIBAgIULnisjJLte3Vvt4o1f+5vSQg542cwDQYJKoZIhvcNAQEL
-    BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE
-    CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMDExMDI1MDFaFw0yNTAzMDEx
-    MDI1MDFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa
-    BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-    DwAwggEKAoIBAQC2dhK7xTnoTB3wN1l3NsLTp5YR0KFfBTjMcDgSzUy/GN79c2cF
-    JzSuiYUi7SCmFjn3soNqpXHFzCox6KIs9R6PL4epaQM76EVG/Xy6mdDvFnZvqypi
-    wmK6J0AGajOxItYUGb2a3Zmt/2nliW6t8sW/vhovHRu7YROo4uJygIp2UUFct2Lk
-    8C7XkJX5RXW+sKTiNddIjhmDFD0vHfvNvQ6AIayJTmXy272+aqYNJWB2wS/2uD3Z
-    +WOpiINetCtkASoiE7nzBQw+WsTfeFJH2TnI5pnSaHdLRUQtzoLO0/FgQ5WBfJg5
-    aH03DLfQ9GEdzlsOkPOEgHXqDFMjTQCwcue3AgMBAAGjUzBRMB0GA1UdDgQWBBRd
-    0Zs+cm0gPHGKoQrerC18Pa3B3zAfBgNVHSMEGDAWgBRd0Zs+cm0gPHGKoQrerC18
-    Pa3B3zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAepPrWqB9h
-    JkqtgJrP8SkQVulTVKYj66J5JxM5vZR96Z4UnbA3WNxezev0jMCYuV0twHPN8avs
-    Jern+/n7vgQ3ziiLVdtrN8PqK1X1apSurVmaiIw4tRcv5TVL5OD95sTyJh5bUBpM
-    DGtCTraPZxLIDKm9byunobXtJVcutw4oHKtFy/LlFWePCnvFzvx6ZFswLAXgxhf9
-    EtjDf3v0cjDn9yRzjYFrwHiQ53A75YTwFyk21q7Gh1G0yspfBeq7cej2wK1PnfiC
-    42TI0UzcqRV4CWDoARMSV8yMLajZ0g1eEreUprwmFcOy17V7KCeV6E8lKb21OU8M
-    Ad9q3H0iXjct
-    -----END CERTIFICATE-----
-summary_file: summary.yaml
-summary_file_clean: summary_redacted.yaml
-extend_expiration: true
-force_expire: false
-pull_secret: "{\"auths\":{\"empty_registry\":{\"username\":\"empty\",\"password\":\"empty\",\"auth\":\"ZW1wdHk6ZW1wdHk=\",\"email\":\"\"}}}"
-threads: 1
-') cargo run --release
+	RECERT_CONFIG="$SCRIPT_DIR/hack/dummy_config.yaml" cargo run --release
 else
 	# shellcheck disable=2016
 	cargo run -- \
@@ -182,6 +83,7 @@ else
 		--cluster-customization-dir backup/etc/machine-config-daemon \
 		--cluster-customization-dir backup/etc/pki/ca-trust \
 		--cluster-customization-file backup/etc/mcs-machine-config-content.json \
+        --cluster-customization-file backup/etc/mco/proxy.env \
         \
 		--cn-san-replace api-int.seed.redhat.com:api-int.new-name.foo.com \
 		--cn-san-replace api.seed.redhat.com:api.new-name.foo.com \
@@ -192,6 +94,7 @@ else
 		--cluster-rename new-name:foo.com:some-random-infra-id \
 		--hostname test.hostname \
 		--ip 192.168.126.99 \
+		--proxy 'http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3128|http://registry.kni-qe-0.lab.eng.rdu2.redhat.com:3130|.cluster.local,.kni-qe-2.lab.eng.rdu2.redhat.com,.svc,127.0.0.1,2620:52:0:11c::/64,2620:52:0:11c::1,2620:52:0:11c::10,2620:52:0:11c::11,2620:52:0:199::/64,api-int.kni-qe-2.lab.eng.rdu2.redhat.com,fd01::/48,fd02::/112,localhost,moreproxy' \
 		--kubeadmin-password-hash '$2a$10$20Q4iRLy7cWZkjn/D07bF.RZQZonKwstyRGH0qiYbYRkx5Pe4Ztyi' \
 		--additional-trust-bundle ./hack/dummy_trust_bundle.pem \
 		--pull-secret '{"auths":{"empty_registry":{"username":"empty","password":"empty","auth":"ZW1wdHk6ZW1wdHk=","email":""}}}' \

diff --git a/src/cluster_crypto/locations.rs b/src/cluster_crypto/locations.rs
@@ -483,6 +483,7 @@ impl K8sResourceLocation {
                 Some(apiversion_first_component_value) => {
                     match apiversion_first_component_value {
                         "operator.openshift.io"
+                        | "monitoring.coreos.com"
                         | "apiregistration.k8s.io"
                         | "machineconfiguration.openshift.io"
                         | "config.openshift.io"

diff --git a/src/config.rs b/src/config.rs
@@ -2,7 +2,7 @@ use self::{cli::Cli, path::ConfigPath};
 use crate::{
     cluster_crypto::REDACT_SECRETS,
     cnsanreplace::{CnSanReplace, CnSanReplaceRules},
-    ocp_postprocess::cluster_domain_rename::params::ClusterNamesRename,
+    ocp_postprocess::{cluster_domain_rename::params::ClusterNamesRename, proxy_rename::args::Proxy},
     use_cert::{UseCert, UseCertRules},
     use_key::{UseKey, UseKeyRules},
 };
@@ -38,6 +38,7 @@ pub(crate) struct ClusterCustomizations {
     pub(crate) cluster_rename: Option<ClusterNamesRename>,
     pub(crate) hostname: Option<String>,
     pub(crate) ip: Option<String>,
+    pub(crate) proxy: Option<Proxy>,
     pub(crate) kubeadmin_password_hash: Option<String>,
     #[serde(serialize_with = "redact")]
     pub(crate) pull_secret: Option<String>,
@@ -138,6 +139,7 @@ impl RecertConfig {
                 kubeadmin_password_hash: None,
                 pull_secret: None,
                 additional_trust_bundle: None,
+                proxy: None,
             },
             threads: None,
             regenerate_server_ssh_keys: None,
@@ -196,6 +198,12 @@ impl RecertConfig {
             Some(value) => Some(value.as_str().context("pull_secret must be a string")?.to_string()),
             None => None,
         };
+        let proxy = match value.remove("proxy") {
+            Some(value) => Some(
+                Proxy::parse(value.as_str().context("proxy must be a string")?).context(format!("proxy {}", value.as_str().unwrap()))?,
+            ),
+            None => None,
+        };
         let set_kubeadmin_password_hash = match value.remove("kubeadmin_password_hash") {
             Some(value) => Some(value.as_str().context("set_kubeadmin_password_hash must be a string")?.to_string()),
             None => None,
@@ -257,6 +265,7 @@ impl RecertConfig {
             kubeadmin_password_hash: set_kubeadmin_password_hash,
             pull_secret,
             additional_trust_bundle,
+            proxy,
         };
 
         let recert_config = Self {
@@ -326,6 +335,7 @@ impl RecertConfig {
                 cluster_rename: cli.cluster_rename,
                 hostname: cli.hostname,
                 ip: cli.ip,
+                proxy: cli.proxy,
                 kubeadmin_password_hash: cli.kubeadmin_password_hash,
                 pull_secret: cli.pull_secret,
                 additional_trust_bundle: cli.additional_trust_bundle,

diff --git a/src/config/cli.rs b/src/config/cli.rs
@@ -1,5 +1,8 @@
 use crate::{
-    cnsanreplace::CnSanReplace, ocp_postprocess::cluster_domain_rename::params::ClusterNamesRename, use_cert::UseCert, use_key::UseKey,
+    cnsanreplace::CnSanReplace,
+    ocp_postprocess::{cluster_domain_rename::params::ClusterNamesRename, proxy_rename::args::Proxy},
+    use_cert::UseCert,
+    use_key::UseKey,
 };
 use clap::Parser;
 use clio::ClioPath;
@@ -67,6 +70,10 @@ pub(crate) struct Cli {
     #[clap(long)]
     pub(crate) ip: Option<String>,
 
+    /// If given, the cluster's HTTP proxy configuration will be modified to use this one instead.
+    #[clap(long, value_parser = Proxy::parse)]
+    pub(crate) proxy: Option<Proxy>,
+
     /// Modify the OCP kubeadmin password secret hash. If given but empty, the kubeadmin password
     /// secret will be deleted (thus disabling password login). If given and non-empty, the secret
     /// will be updated with the given password hash, unless no existing kubeadmin secret resource

diff --git a/src/etcd_encoding.rs b/src/etcd_encoding.rs
@@ -3,7 +3,8 @@ use super::protobuf_gen::{
     k8s::io::{
         api::{
             admissionregistration::v1::{MutatingWebhookConfiguration, ValidatingWebhookConfiguration},
-            apps::v1::{DaemonSet, Deployment},
+            apps::v1::{ControllerRevision, DaemonSet, Deployment, StatefulSet},
+            batch::v1::{CronJob, Job},
             core::v1::{ConfigMap, Secret},
         },
         apimachinery::pkg::runtime::{TypeMeta, Unknown},
@@ -50,6 +51,10 @@ macro_rules! k8s_type {
 k8s_type!(RouteWithMeta, Route);
 k8s_type!(DaemonsSetWithMeta, DaemonSet);
 k8s_type!(DeploymentWithMeta, Deployment);
+k8s_type!(ControllerRevisionWithMeta, ControllerRevision);
+k8s_type!(JobWithMeta, Job);
+k8s_type!(CronJobWithMeta, CronJob);
+k8s_type!(StatefulSetWithMeta, StatefulSet);
 k8s_type!(ConfigMapWithMeta, ConfigMap);
 k8s_type!(SecretWithMeta, Secret);
 k8s_type!(ValidatingWebhookConfigurationWithMeta, ValidatingWebhookConfiguration);
@@ -67,6 +72,10 @@ pub(crate) async fn decode(data: &[u8]) -> Result<Vec<u8>> {
     Ok(match kind {
         "Route" => serde_json::to_vec(&RouteWithMeta::try_from(unknown)?)?,
         "Deployment" => serde_json::to_vec(&DeploymentWithMeta::try_from(unknown)?)?,
+        "ControllerRevision" => serde_json::to_vec(&ControllerRevisionWithMeta::try_from(unknown)?)?,
+        "Job" => serde_json::to_vec(&JobWithMeta::try_from(unknown)?)?,
+        "CronJob" => serde_json::to_vec(&CronJobWithMeta::try_from(unknown)?)?,
+        "StatefulSet" => serde_json::to_vec(&StatefulSetWithMeta::try_from(unknown)?)?,
         "DaemonSet" => serde_json::to_vec(&DaemonsSetWithMeta::try_from(unknown)?)?,
         "ConfigMap" => serde_json::to_vec(&ConfigMapWithMeta::try_from(unknown)?)?,
         "Secret" => serde_json::to_vec(&SecretWithMeta::try_from(unknown)?)?,
@@ -93,6 +102,10 @@ pub(crate) async fn encode(data: &[u8]) -> Result<Vec<u8>> {
             "Route" => Unknown::from(serde_json::from_slice::<RouteWithMeta>(data)?),
             "Secret" => Unknown::from(serde_json::from_slice::<SecretWithMeta>(data)?),
             "Deployment" => Unknown::from(serde_json::from_slice::<DeploymentWithMeta>(data)?),
+            "ControllerRevision" => Unknown::from(serde_json::from_slice::<ControllerRevisionWithMeta>(data)?),
+            "Job" => Unknown::from(serde_json::from_slice::<JobWithMeta>(data)?),
+            "CronJob" => Unknown::from(serde_json::from_slice::<CronJobWithMeta>(data)?),
+            "StatefulSet" => Unknown::from(serde_json::from_slice::<StatefulSetWithMeta>(data)?),
             "DaemonSet" => Unknown::from(serde_json::from_slice::<DaemonsSetWithMeta>(data)?),
             "ValidatingWebhookConfiguration" => Unknown::from(serde_json::from_slice::<ValidatingWebhookConfigurationWithMeta>(data)?),
             "MutatingWebhookConfiguration" => Unknown::from(serde_json::from_slice::<MutatingWebhookConfigurationWithMeta>(data)?),