Proxy server support for target clusters in PDS
PDS offers the capability to direct outbound communication traffic from target clusters through a proxy server. The inclusion of proxy server support for target clusters provides enhanced security, performance optimization, and greater control over network communication.
Prerequisites
- An operational target cluster.
- Helm chart version 1.21.0 or a more recent release.
- Administrative privileges within PDS.
- Ensure that the target clusters have network access to the proxy server.
- Ensure that the network configuration of the target clusters is compatible with proxy server usage.
- If the proxy server requires authentication, ensure that you have the necessary credentials.
- Ensure that DNS resolution is configured correctly within the target clusters to resolve domain names through the proxy server if necessary.
- If your proxy server uses HTTPS, ensure that the necessary SSL/TLS certificates are configured correctly on the proxy server and that the target clusters trust these certificates.
- In the PDS configuration, specify the details of the proxy server, such as its hostname or IP address, port number, and any authentication credentials if required.
The components within PDS target clusters, such as the PDS Agent, Teleport Agent, External DNS, and Prometheus, often need to communicate with services external to the cluster. This outbound communication from target clusters is facilitated through two types of proxy servers:
- HTTP CONNECT proxy
- MITM (Man-in-the-Middle) or HTTPS proxy
Proxy setup
When configuring either the HTTP CONNECT or MITM proxy modes, you must adjust specific Helm chart values to route outgoing traffic through the proxy server.
HTTP CONNECT proxy setup
For HTTP CONNECT proxy usage, set the global.clientProxyAddress parameter when installing the Helm chart using the following format:
--set global.clientProxyAddress=$PROXY_ADDRESS
MITM proxy setup
When employing MITM or HTTPS proxy, you need to configure both the global.clientProxyAddress and global.tlsConfig.ca parameters during the Helm chart installation. This includes specifying the CA (Certificate Authority) certificates for the proxy server. You can provide the CA certificate name or the absolute file path to the CA certificate, as shown in the following examples:
Using the X.509 certificate chain with a file path
--set global.clientProxyAddress=$PROXY_ADDRESS --set-file global.tlsConfig.ca=<certificate-file-path>
The $PROXY_ADDRESS format should adhere to https://username:password@hostname:port. This format includes the necessary proxy server details, such as authentication credentials, hostname, and port.
By configuring these parameters accurately, you can ensure that outbound traffic from PDS target clusters is efficiently routed through the designated proxy server, enhancing network security and control.