Configure Stork for Proxy Server
This topic explains how to configure Stork in the application cluster to communicate through a network proxy in environments that require it. Depending on your setup, you may use:
-
A proxy with authentication or a custom CA
-
An unauthenticated proxy without a custom CA
With Portworx
Option 1: Authenticated Proxy or Custom CA
If your proxy requires a username/password or uses a non-public CA, follow the steps below.
-
Create a Kubernetes Secret in your Stork deployed namespace containing your proxy settings and optional CA certificate:
kubectl create secret generic <your-proxy-secret-name> \
--from-literal=HTTP_PROXY=<authenticated-proxy-url> \
--from-literal=HTTPS_PROXY=<authenticated-proxy-url> \
--from-literal=NO_PROXY="10.0.0.0/8,<internal-domains>,<cluster-ips>" \
--from-file=CA=/path/to/ca.crtReplace
<your-proxy-secret-name>with any valid proxy secret name. Replace<authenticated-proxy-url>with your actual proxy URL, typically in the formatusername:password@host:port. The proxy URL can use either the http or https scheme, depending on your setup. -
Update StorageCluster with Proxy secret. Reference the secret in the StorageCluster spec for Stork:
stork:
enabled: true
args:
webhook-controller: "true"
env:
- name: http_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTP_PROXY
- name: https_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTPS_PROXY
- name: HTTP_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTP_PROXY
- name: HTTPS_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: HTTPS_PROXY
- name: NO_PROXY
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: NO_PROXY
- name: no_proxy
valueFrom:
secretKeyRef:
name: <your-proxy-secret-name>
key: NO_PROXY
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/etc/ssl/certs/proxy
image: <your-stork-image>
volumes:
- name: proxy-ca-volume
secret:
secretName: <your-proxy-secret-name>
items:
- key: CA
path: proxy-ca.pem
optional: true
defaultMode: 420
mountPath: /etc/ssl/certs/proxy
Option 2: Unauthenticated Proxy (No Custom CA)
-
If your proxy does not require authentication and uses a public or default-trusted CA. You can configure proxy settings directly without a secret.
Sample StorageCluster Configuration:
stork:
enabled: true
args:
webhook-controller: "true"
env:
- name: http_proxy
value: <proxy-url>
- name: https_proxy
value: <proxy-url>
- name: HTTP_PROXY
value: <proxy-url>
- name: HTTPS_PROXY
value: <proxy-url>
- name: NO_PROXY
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
- name: no_proxy
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
image: <your-stork-image>
If you have Portworx deployment in the application cluster (if the application cluster contains Portworx volumes), you need to add Portworx internal services (.portworx, .portworx-api) to the NO_PROXY/no_proxy ENV values.
Without Portworx
Option 1: Authenticated Proxy or Custom CA
If your proxy requires a username/password or uses a non-public CA, follow the steps below.
-
Create a Kubernetes Secret in your Stork deployed namespace containing your proxy settings and optional CA certificate:
kubectl create secret generic <your-proxy-secret-name> \
--from-literal=HTTP_PROXY=<authenticated-proxy-url> \
--from-literal=HTTPS_PROXY=<authenticated-proxy-url> \
--from-literal=NO_PROXY="10.0.0.0/8, <internal-domains>,<cluster-ips>" \
--from-file=CA=/path/to/ca.crtReplace
<your-proxy-secret-name>with any meaningful name. Replace<authenticated-proxy-url>with your actual proxy URL, typically in the formatusername:password@host:port. The proxy URL can use either the http or https scheme, depending on your setup. -
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-namespace> -
Add the required proxy environment variables:
env:
- name: HTTPS_PROXY
valueFrom:
secretKeyRef:
key: HTTPS_PROXY
name: <your-proxy-secret-name>
- name: HTTP_PROXY
valueFrom:
secretKeyRef:
key: HTTP_PROXY
name: <your-proxy-secret-name>
- name: http_proxy
valueFrom:
secretKeyRef:
key: HTTP_PROXY
name: <your-proxy-secret-name>
- name: https_proxy
valueFrom:
secretKeyRef:
key: HTTPS_PROXY
name: <your-proxy-secret-name>
- name: no_proxy
valueFrom:
secretKeyRef:
key: NO_PROXY
name: <your-proxy-secret-name>
- name: NO_PROXY
valueFrom:
secretKeyRef:
key: NO_PROXY
name: <your-proxy-secret-name>
- name: SSL_CERT_DIR
value: /etc/ssl/certs:/etc/ssl/certs/proxy -
Add the volume mount and volume definition together in the same edit. Ensure
volumeMountsis placed inside the container spec andvolumesat the pod spec level:# Inside the container spec (under containers[].volumeMounts):
volumeMounts:
- mountPath: /etc/ssl/certs/proxy
name: user-proxy-ca-volume
# At the pod spec level (under spec.volumes):
volumes:
- name: user-proxy-ca-volume
secret:
defaultMode: 420
items:
- key: CA
path: proxy-ca.pem
optional: true
secretName: <your-proxy-secret-name>cautionThe
volumeMountsfield must be nested inside the container spec (spec.template.spec.containers[].volumeMounts), not at the pod spec level. Placing it incorrectly will cause the pod to fail to start or silently not mount the CA certificate. -
Save the changes and wait for the Stork pods to restart.
Option 2: Unauthenticated Proxy (No Custom CA)
If your proxy does not require authentication and uses a public or default-trusted CA. You can configure proxy settings directly without a secret,follow the steps below.
-
Edit the Stork deployment:
kubectl edit deployment stork -n <stork-namespace> -
Add the required proxy environment variables:
env:
- name: HTTPS_PROXY
value: <proxy-url>
- name: HTTP_PROXY
value: <proxy-url>
- name: http_proxy
value: <proxy-url>
- name: https_proxy
value: <proxy-url>
- name: no_proxy
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
- name: NO_PROXY
value: "10.0.0.0/8,<internal-domains>,<cluster-ips>"
Related Topics