Skip to main content
Version: 5.19.0

Send Traffic Through a Web Proxy

The following instructions and examples demonstrate how to configure Structsure and its tools to use a web proxy.

To configure pod egress traffic via the web proxy, environment variables are generally used. Some tools (notably Java-based applications) may require bespoke ways of injecting these variables; follow the tools' Helm chart documentation whenever possible.

The following is an example of standard proxy environment variables:

export NO_PROXY=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
export no_proxy=$NO_PROXY
export HTTP_PROXY=https://proxy.structsure.io:3128
export http_proxy=$HTTP_PROXY
export HTTPS_PROXY=$HTTP_PROXY
export https_proxy=$HTTP_PROXY

tip

Use both the lowercase and uppercase of each proxy variable for legacy compatibility.

Traffic defaults to the proxy HTTP_PROXY or HTTPS_PROXY, while explicitly excluded traffic is defined in the NO_PROXY. Your configuration and requirements will determine what goes where; but typically, external traffic reaching out of the cluster should be sent through the proxy server, and internal traffic should be excluded.

RKE2

On RKE2 clusters, insert/uncomment the proxy lines in rke2-cluster/files/pre_userdata.tpl on the initial setup.

caution

Currently, in order to set the proxy for EBS CSI drivers, you will need to edit the template for the AWS EBS CSI driver during the pre-user data with your proxy information.

This template is baked into the Structsure AMI itself, so you will have to edit it during cloud init.

AWS EBS CSI Driver

In the AWS EBS CSI driver, the yaml is located at: /var/lib/rancher/rke2/server/manifests/ on RKE2 instances.

Append your rules to the end of the file:

proxy:
http_proxy: https://proxy.structsure.io:3128
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

aws ebs csi driver documentation


Applications

To configure each application, pay attention to the documentation for that application's Helm chart, as the required values differ. These values can be configured in Big Bang values before setup or in the ConfigMaps of the structsure-system namespace, typically called {{application}}-overrides.

The following is an example override config map:

apiVersion: v1
kind: ConfigMap
metadata:
name: sonarqube-overrides
namespace: structsure-system
data:
values.yaml: |
addons:
sonarqube:
values:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
note

Kyverno can have a cluster policy to add these variables to containers you specify; however, this may not work for all applications.

https://release-1-8-0.kyverno.io/policies/other/add-pod-proxies/add-pod-proxies/

Argo CD

addons:
argocd:
global:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

You can configure for individual deployments if needed. applicationSet.extraEnv

addons:
argocd:
applicationSet:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Argo CD global.env README and values.yaml

Cert Manager

Cert Manager supports these variables directly:

addons:
cert-manager:
values:
http_proxy: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Cert Manager README

Cluster Autoscaler

packages:
cluster-autoscaler:
values:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Cluster Autoscaler README

Confluence

addons:
confluence:
values:
confluence:
tomcatConfig:
# proxyName is retrieved from ingress.host value
proxyName: proxy.structsure.io
# proxyPort is set depending on ingress.https value (80 if http, 443 if https)
proxyPort: 3128
additionalEnvironmentVariables:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Confluence documentation and Proxy setup Guide

Console

packages:
console:
values:
envs:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

GitLab

addons:
gitlab:
values:
global:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Gitlab Documentation

GitLab Runner

note

runners.config is a YAML encoded string, so you will need to manually merge changes to existing config, since they cannot be merged automatically.

addons:
gitlabRunner:
values:
extraEnv:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
runners:
config: |
[[runners]]
environment = [
"HTTP_PROXY=https://proxy.structsure.io:3128",
"http_proxy=https://proxy.structsure.io:3128",
"HTTPS_PROXY=https://proxy.structsure.io:3128",
"https_proxy=https://proxy.structsure.io:3128",
"NO_PROXY=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.",
"no_proxy=127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc."
]

Gitlab-runner values.yaml and README

Grafana

addons:
grafana:
values:
env:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Grafana documentation

Jira

addons:
jira:
values:
jira:
additionalEnvironmentVariables:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Jira Documentation

Keycloak

addons:
keycloak:
values:
secrets:
env:
stringData:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Keycloak Documentation

Loki

loki:
values:
singleBinary:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
note

The stateful set is the singleBinary for normal setups; all are listed for reference.

loki:
values:
monitoring:
lokiCanary:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
write:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
tableManager:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
read:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
gateway:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Loki Documentation

Mattermost

addons:
mattermost:
values:
mattermostEnvs:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Mattermost values.yaml

Nexus Repository Manager

addons:
nexusRepositoryManager:
proxy:
enabled: false
request:
tid: 1
action: coreui_HttpSettings
method: update
type: rpc
data:
- httpEnabled: true
httpHost: proxy.structsure.io
httpPort: 3128
httpsEnabled: true
httpsHost: proxy.structsure.io
httpsPort: 3128
nonProxyHosts: ['127.0.0.1','169.254.169.254','.us-east-1.elb.amazonaws.com','.elb.us-east-1.amazonaws.com','.us-east-1.compute.internal','.local','.svc.']

Nexus Repository Manager values.yaml

Neuvector

addons:
neuvector:
values:
controller:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
enforcer:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254
- name: no_proxy
value: 127.0.0.1,169.254.169.254
manager:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
cve:
scanner:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Promtail

addons:
promtail:
values:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Promtail documentation

Sonarqube

addons:
sonarqube:
values:
env:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
# These Proxy values are used by java, seemingly for the upgrade server only
# sonarProperties:
# http.proxyHost: proxy.structsure.io
# http.proxyPort: 3128
# https.proxyHost: proxy.structsure.io
# https.proxyPort: 3128

Sonarqube values.yaml and upstream README

Tempo

addons:
tempo:
values:
tempo:
extraEnv:
- name: HTTPS_PROXY
value: https://proxy.structsure.io:3128
- name: HTTP_PROXY
value: https://proxy.structsure.io:3128
- name: https_proxy
value: https://proxy.structsure.io:3128
- name: http_proxy
value: https://proxy.structsure.io:3128
- name: NO_PROXY
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
- name: no_proxy
value: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Tempo documentation

Twistlock

addons:
twistlock:
defender:
proxy:
address: "https://proxy.structsure.io:3128" # Address and port of the proxy
ca: "" # CA certificate to trust (optional)

twistlock values.yaml

Vault

addons:
vault:
server:
extraEnvironmentVars:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Vault documentation

Velero

info

Velero currently uses a secret to inject envs.

addons:
velero:
values:
credentials:
extraEnvVars:
HTTPS_PROXY: https://proxy.structsure.io:3128
HTTP_PROXY: https://proxy.structsure.io:3128
https_proxy: https://proxy.structsure.io:3128
http_proxy: https://proxy.structsure.io:3128
NO_PROXY: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.
no_proxy: 127.0.0.1,169.254.169.254,.us-east-1.elb.amazonaws.com,.elb.us-east-1.amazonaws.com,.us-east-1.compute.internal,.local,.svc.

Velero configuration.extraEnvVars values.yaml