Configure Stork for Proxy Server
Proxy support for Stork using Azure Workload Identity (WLI) in Federated mode is not supported.
This topic explains how to configure Stork in the application cluster to communicate through a network proxy in environments that require it. Depending on your setup, you may use:
-
A proxy with authentication or a custom CA
-
An unauthenticated proxy without a custom CA
With Portworx
Option 1: Authenticated proxy or custom CA
If your proxy requires a username/password or uses a non-public CA, follow the steps below.
-
Create a Kubernetes Secret in your Stork deployed namespace containing your proxy settings and optional CA certificate:
kubectl create secret generic <your-proxy-secret-name> \
--from-literal=HTTP_PROXY=<authenticated-proxy-url> \
--from-literal=HTTPS_PROXY=<authenticated-proxy-url> \
--from-literal=NO_PROXY="10.0.0.0/8,<internal-domains>,<cluster-ips>" \
--from-file=CA=/path/to/ca.crtReplace
<your-proxy-secret-name>with any valid proxy secret name. Replace<authenticated-proxy-url>with your actual proxy URL, typically in the formatusername:password@host:port. The proxy URL can use either the http or https scheme, depending on your setup. -
Update StorageCluster with Proxy secret. Reference the secret in the StorageCluster spec for Stork:
stork:
enabled: true
args:
webhook-controller: "true"
env:
- name: http_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTP_PROXY
- name: https_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTPS_PROXY
- name: HTTP_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTP_PROXY
- name: HTTPS_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTPS_PROXY
- name: NO_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: NO_PROXY
- name: no_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: NO_PROXY
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/etc/ssl/certs/proxy
image: <your-stork-image>
volumes:
- name: proxy-ca-volume
secret:
secretName: <your-proxy-secret-name>
items:
- key: CA
path: proxy-ca.pem
optional: true
defaultMode: 420
mountPath: /etc/ssl/certs/proxy
Option 2: Unauthenticated proxy (no custom CA)
-
If your proxy does not require authentication and uses a public or default-trusted CA, you can configure proxy settings directly without a secret.
Sample StorageCluster Configuration:
stork:
enabled: true
args:
webhook-controller: "true"
env:
- name: http_proxy
value: <proxy-url>
- name: https_proxy
value: <proxy-url>
- name: HTTP_PROXY
value: <proxy-url>
- name: HTTPS_PROXY
value: <proxy-url>
- name: NO_PROXY
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
- name: no_proxy
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
image: <your-stork-image>
If you have Portworx deployment in the application cluster (if the application cluster contains Portworx volumes), you need to add Portworx internal services (.portworx, .portworx-api) to the NO_PROXY/no_proxy ENV values.
Without Portworx
Option 1: Authenticated proxy or custom CA
If your proxy requires a username/password or uses a non-public CA, follow the steps below.
-
Create a Kubernetes Secret in your Stork deployed namespace containing your proxy settings and optional CA certificate:
kubectl create secret generic <your-proxy-secret-name> \
--from-literal=HTTP_PROXY=<authenticated-proxy-url> \
--from-literal=HTTPS_PROXY=<authenticated-proxy-url> \
--from-literal=NO_PROXY="10.0.0.0/8, <internal-domains>,<cluster-ips>" \
--from-file=CA=/path/to/ca.crtReplace
<your-proxy-secret-name>with any meaningful name. Replace<authenticated-proxy-url>with your actual proxy URL, typically in the formatusername:password@host:port. The proxy URL can use either the http or https scheme, depending on your setup. -
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-namespace> -
Add the required proxy environment variables:
env:
- name: HTTPS_PROXY
valueFrom:
secretKeyRef:
key: HTTPS_PROXY
name: <your-proxy-secret-name>
- name: HTTP_PROXY
valueFrom:
secretKeyRef:
key: HTTP_PROXY
name: <your-proxy-secret-name>
- name: http_proxy
valueFrom:
secretKeyRef:
key: HTTP_PROXY
name: <your-proxy-secret-name>
- name: https_proxy
valueFrom:
secretKeyRef:
key: HTTPS_PROXY
name: <your-proxy-secret-name>
- name: no_proxy
valueFrom:
secretKeyRef:
key: NO_PROXY
name: <your-proxy-secret-name>
- name: NO_PROXY
valueFrom:
secretKeyRef:
key: NO_PROXY
name: <your-proxy-secret-name>
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/etc/ssl/certs/proxy -
Add the volume mount and volume definition together in the same edit. Ensure
volumeMountsis placed inside the container spec andvolumesat the pod spec level:# Inside the container spec (under containers[].volumeMounts):
volumeMounts:
- mountPath: /etc/ssl/certs/proxy
name: user-proxy-ca-volume
# At the pod spec level (under spec.volumes):
volumes:
- name: user-proxy-ca-volume
secret:
defaultMode: 420
items:
- key: CA
path: proxy-ca.pem
optional: true
secretName: <your-proxy-secret-name>cautionThe
volumeMountsfield must be nested inside the container spec (spec.template.spec.containers[].volumeMounts), not at the pod spec level. Placing it incorrectly will cause the pod to fail to start or silently not mount the CA certificate. -
Save the changes and wait for the Stork Pods to restart.
Option 2: Unauthenticated proxy (no custom CA)
If your proxy does not require authentication and uses a public or default-trusted CA, you can configure proxy settings directly without a secret. Follow the steps below.
-
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-namespace> -
Add the required proxy environment variables:
env:
- name: HTTPS_PROXY
value: <proxy-url>
- name: HTTP_PROXY
value: <proxy-url>
- name: http_proxy
value: <proxy-url>
- name: https_proxy
value: <proxy-url>
- name: no_proxy
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
- name: NO_PROXY
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"