Send Traffic Through a Web Proxy
The following instructions and examples demonstrate how to configure Structsure and its tools to use a web proxy.
To configure pod egress traffic via the web proxy, environment variables are generally used. Some tools (notably Java-based applications) may require bespoke ways of injecting these variables; follow the tools' Helm chart documentation whenever possible.
The following is an example of standard proxy environment variables:
export NO_PROXY=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
export no_proxy=$NO_PROXY
export HTTP_PROXY=https://proxy.structsure.io:3128
export http_proxy=$HTTP_PROXY
export HTTPS_PROXY=$HTTP_PROXY
export https_proxy=$HTTP_PROXY
Use both the lowercase and uppercase of each proxy variable for legacy compatibility.
Traffic defaults to the proxy HTTP_PROXY
or HTTPS_PROXY
, while explicitly excluded traffic is defined in the NO_PROXY
. Your configuration and requirements will determine what goes where; but typically, external traffic reaching out of the cluster should be sent through the proxy server, and internal traffic should be excluded.
RKE2
On RKE2 clusters, insert/uncomment the proxy lines in rke2-cluster/files/pre_userdata.tpl
on the initial setup.
Currently, in order to set the proxy for EBS CSI drivers, you will need to edit the template for the AWS EBS CSI driver during the pre-user data with your proxy information.
This template is baked into the Structsure AMI itself, so you will have to edit it during cloud init.
AWS EBS CSI Driver
In the AWS EBS CSI driver, the yaml is located at: /var/lib/rancher/rke2/server/manifests/
on RKE2 instances.
Append your rules to the end of the file:
proxy:
http_proxy: https://proxy.structsure.io:3128
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
aws ebs csi driver documentation
Applications
To configure each application, pay attention to the documentation for that application's Helm chart, as the required values differ. These values can be configured in Big Bang values before setup or in the ConfigMaps of the structsure-system
namespace, typically called {{application}}-overrides
.
The following is an example override config map:
apiVersion: v1
kind: ConfigMap
metadata:
name: sonarqube-overrides
namespace: structsure-system
data:
values.yaml: |
addons:
sonarqube:
values:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Kyverno can have a cluster policy to add these variables to containers you specify; however, this may not work for all applications.
https://release-1-8-0.kyverno.io/policies/other/add-pod-proxies/add-pod-proxies/
Argo CD
addons:
argocd:
global:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
You can configure for individual deployments if needed. applicationSet.extraEnv
addons:
argocd:
applicationSet:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Argo CD
global.env
README and values.yaml
Cert Manager
Cert Manager supports these variables directly:
addons:
cert-manager:
values:
http_proxy: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Cert Manager README
Cluster Autoscaler
packages:
cluster-autoscaler:
values:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Cluster Autoscaler README
Confluence
addons:
confluence:
values:
confluence:
tomcatConfig:
# proxyName is retrieved from ingress.host value
proxyName: proxy.structsure.io
# proxyPort is set depending on ingress.https value (80 if http, 443 if https)
proxyPort: 3128
additionalEnvironmentVariables:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Confluence documentation and Proxy setup Guide
Console
packages:
console:
values:
envs:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
GitLab
addons:
gitlab:
values:
global:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Gitlab Documentation
GitLab Runner
runners.config
is a YAML encoded string, so you will need to manually merge changes to existing config, since they cannot be merged automatically.
addons:
gitlabRunner:
values:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
runners:
config: |
[[runners]]
environment = [
"HTTP_PROXY=https://proxy.structsure.io:3128",
"http_proxy=https://proxy.structsure.io:3128",
"HTTPS_PROXY=https://proxy.structsure.io:3128",
"https_proxy=https://proxy.structsure.io:3128",
"NO_PROXY=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.",
"no_proxy=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc."
]
Gitlab-runner values.yaml and README
Grafana
addons:
grafana:
values:
env:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Grafana documentation
Jira
addons:
jira:
values:
jira:
additionalEnvironmentVariables:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Jira Documentation
Keycloak
addons:
keycloak:
values:
secrets:
env:
stringData:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Keycloak Documentation
Loki
loki:
values:
singleBinary:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
The stateful set is the singleBinary
for normal setups; all are listed for reference.
loki:
values:
monitoring:
lokiCanary:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
write:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
tableManager:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
read:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
gateway:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Loki Documentation
Mattermost
addons:
mattermost:
values:
mattermostEnvs:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Mattermost values.yaml
Nuevector
addons:
nuevector:
values:
controller:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
enforcer:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254
- name: no_proxy
value: 127.0.0.1,169.254.169.254
manager:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
cve:
scanner:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Promtail
addons:
promtail:
values:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Promtail documentation
Sonarqube
addons:
sonarqube:
values:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
# These Proxy values are used by java, seemingly for the upgrade server only
# sonarProperties:
# http.proxyHost: proxy.structsure.io
# http.proxyPort: 3128
# https.proxyHost: proxy.structsure.io
# https.proxyPort: 3128
Sonarqube values.yaml and upstream README
Tempo
addons:
tempo:
values:
tempo:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Tempo documentation
Twistlock
addons:
twistlock:
defender:
proxy:
address: "https://proxy.structsure.io:3128" # Address and port of the proxy
ca: "" # CA certificate to trust (optional)
twistlock values.yaml
Vault
addons:
vault:
server:
extraEnvironmentVars:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Vault documentation
Velero
Velero currently uses a secret to inject envs.
addons:
velero:
values:
credentials:
extraEnvVars:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
Velero
configuration.extraEnvVars
values.yaml