HTTP Proxy
Production or corporate environments can deny direct access to the Internet, and mandates egress traffic to go through an HTTP or HTTPS proxy.
The Camel K operator can be configured to route egress traffic to this proxy, by setting the usual HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
on the operator Deployment.
This can be achieved with the Kamel CLI, at installation time, e.g.:
$ kamel install --operator-env-vars=HTTP_PROXY=http://proxy
Alternatively, the operator Deployment can be amended with the kubectl
CLI, e.g.:
$ kubectl set env deployment camel-k-operator HTTP_PROXY=http://proxy
The HTTP_PROXY
and HTTPS_PROXY
environment variable values expect URLs following the http://[<username>[:<pswd>]@]<host>[:<port>]
format, e.g.:
HTTP_PROXY=http://proxy.corp.tld
Maven currently does not support connecting to an HTTP proxy via TLS. For this reason, the scheme of the HTTPS_PROXY value is restricted to http .
|
The NO_PROXY
environment variable value expects a comma-separated list of destination domain names, domain suffixes, IP addresses or other network CIDRs, e.g.:
NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,localhost
By default, all egress traffic, generated by all the workloads and processes managed by the Camel K operator, will be proxied. This encompasses:
-
Communicating with the Kubernetes API server
-
Downloading Maven artifacts from repositories
-
Pulling base images from container registries
-
Pushing images to the configured container registry
For this reason, services that the operator requires access to should be reviewed, and it must be determined whether any of them must bypass the proxy.
This particularly applies to internal services, hosted within the cluster, whose internal domain names or IP addresses should be added to the NO_PROXY
environment variable.
Typically, the NO_PROXY
variable should be populated with the internal domain suffixes, as well as the cluster network CIDRs, e.g.:
NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,172.17.0.0/18,172.21.0.0/16,localhost
As the Camel K operator communicates with the Kubernetes API, the cluster IPs of the Kubernetes Service must at least be specified in NO_PROXY , anytime an HTTP proxy is configured.
|
By default, the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environment variables are also propagated to the integrations.
This behavior can be deactivated, by using the http-proxy
parameter of the environment trait, e.g.:
$ kamel run -t environment.http-proxy=false
Alternatively, it can be disabled globally, by editing the IntegrationPlatform resources, e.g.:
apiVersion: camel.apache.org/v1
kind: IntegrationPlatform
metadata:
name: camel-k
spec:
traits:
environment:
configuration:
httpProxy: false (1)
1 | Deactivates the propagation of HTTP proxy environment variables at the platform level |
OpenShift
On OpenShift 4, cluster-wide egress proxy can be configured by editing the cluster
Proxy resource:
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
name: cluster
spec:
httpProxy: http://<username>:<pswd>@<ip>:<port>
Operator Lifecycle Manager (OLM), sources the status of this cluster
Proxy, to automatically populate the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environment variables, on the operator Deployment resources it manages.
These cluster-wide proxy settings can be overwritten, specifically for the Camel K operator if necessary, by editing the corresponding Subscription resource, e.g.:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: camel-k
namespace: openshift-operators
spec:
config:
env:
- name: HTTP_PROXY
value: ""
- name: NO_PROXY
value: ""