Support for Proxy Environments in Portworx Backup
Most of the enterprise environments channelize all external communication to pass through a proxy server. To support such configurations, starting from version 2.9.0, PXB allows configuration of proxy settings using Helm values directly or via a Kubernetes Secret, whose name is provided through a Helm parameter
You can deploy and run PXB on any proxy-enabled Kubernetes cluster (PXB cluster) environments, allowing communication with external systems (like object storage, SMTP servers, and container registries) through an HTTP/HTTPS proxy. Also, PXB components and job pods route external communication such as backup uploads, registry access, and SMTP alerts through a designated HTTP/HTTPS proxy. This feature benefits organizations operating in private or secured networks where all outbound traffic must be routed through a centrally managed proxy.
Key capabilities
-
Proxy support via Helm configuration: defines proxy settings directly using Helm values when the proxy server does not require authentication or certificate verification.
-
Secure proxy support using Kubernetes secrets: enables safe handling of sensitive proxy data like credentials and custom CA certificates.
-
Automatic injection of new environment variables: PXB components and job pods are automatically injected with the following standard proxy environment variables:
-
HTTP_PROXY
: any outbound HTTP traffic will be routed through this URL (basically, the proxy server). -
HTTPS_PROXY
: any outbound HTTPS traffic will be routed through this URL (basically, the proxy server). -
NO_PROXY
: a list of destination addresses that should bypass the proxy. -
And lowercase variants
-
-
Automatic appending of default
no_proxy
values required for PXB communication.
Prerequisite
- Kubernetes cluster behind a corporate HTTP/HTTPS proxy
Supported scenarios
Scenario 1: Proxy without authentication or custom CA
In environments where the PXB cluster (cluster where PXB is deployed) is behind a proxy that does not require authentication or a custom certificate authority (CA), you can configure proxy settings directly through Helm parameters. No Kubernetes secret is needed for this setup.
Helm Configuration Example:
--set proxy.http="http://proxy.example.com", \
proxy.https="http://proxy.example.com", \
proxy.httpProxy.noProxy="px-backup.<pxb-deployed-namespace>\,<IPs-or-host-names-of-internal-service>\,<Node-CIDR>\,<Service-CIDR>"
Here <pxb-deployed-namespace>
is the namespace where you want to deploy Portworx Backup or where you have already deployed it. If there are more than one host names or more IPs associated with internal services, you can add multiple values with comma separators and escape it with a slash.
For example, if you have deployed PXB in central
namespace the sample command would look like this:
--set proxy.http="http://proxy.example.com", \
proxy.https="http://proxy.example.com", \
proxy.httpProxy.noProxy="px-backup.central\,<smtp-host-name>\,<backup-location-host-name>\,xxx.xx.xx.xx"
By providing values to the following Helm parameters:
-
proxy.http
-
proxy.https
-
proxy.httpProxy.noProxy
Helm automatically injects the necessary proxy-related environment variables into all PXB components and job pods on PXB cluster:
-
HTTP_PROXY
-
HTTPS_PROXY
-
http_proxy
-
https_proxy
-
NO_PROXY
-
no_proxy
PXB includes a default list of no_proxy
entries essential for internal communication. These defaults will be appended to any values you provide in the NO_PROXY
or no_proxy
fields. This is handled automatically by the Helm template.
Scenario 2: Proxy with authentication or custom CA
If the user's PXB cluster is behind a proxy that requires authentication or uses a custom certificate authority (CA), sensitive proxy configuration details (such as credentials or CA content) should not be passed directly as Helm parameters. Instead, create a Kubernetes secret to securely store these values, and reference it in the Helm installation. To get started:
-
Create the proxy configuration secret:
apiVersion: v1
kind: Secret
metadata:
name: proxy-config
type: Opaque
stringData:
HTTP_PROXY: http://<username>:<password>@proxy.example.com
HTTPS_PROXY: https://<username>:<password>@proxy.example.com
NO_PROXY: px-backup.<pxb-deployed-namespace>,<IPs-or-host-names-of-internal-services>,<Service-CIDR>,<Node-CIDR>
CA: |
-----BEGIN CERTIFICATE-----
<base-64-encoded-alphanumeric-certificate-key>
-----END CERTIFICATE-----Example:
apiVersion: v1
kind: Secret
metadata:
name: proxy-config
type: Opaque
stringData:
HTTP_PROXY: http://<username>:<password>@proxy.example.com
HTTPS_PROXY: https://<username>:<password>@proxy.example.com
NO_PROXY: px-backup.central,<smtp-host-name>,<backup-location-host-name>,xxx.xx.xx.xx
CA: |
-----BEGIN CERTIFICATE-----
<base-64-encoded-alphanumeric-certificate-key>
-----END CERTIFICATE----- -
Pass the secret name to Helm during install or upgrade with the following parameter:
--set proxy.configSecretName="<config-secret-name>"
-
Ensure that the API server endpoint of the application cluster is added to the
no_proxy
list during the px-backup deployment if the cluster is part of the internal network. -
A default list of
no_proxy
entries required by PXB is automatically appended to any user-provided values inNO_PROXY
orno_proxy
. PXB handles this with a pre-install/upgrade job. -
If both
proxy.http/proxy.https
Helm parameters andproxy.configSecretName
are set, the Helm parameters take precedence over the Kubernetes secret.
Sample values.yaml
Case 1: Without custom certification/authentication
proxy:
azureProxyEnabled: false
excludeAzureProxyList: []
includeNoProxyList: []
httpProxy:
noProxy: "px-backup.central,localhost,xxx.0.0.1,.svc,.cluster.local"
http: http://proxy.example.com
https: https://proxy.example.com
Case 2: With custom certification/authentication
proxy:
configSecretName: "proxy-config"
Error handling
-
If the specified secret does not exist, the PXB install or upgrade process fails
-
If proxy settings are misconfigured, PXB components may fail to connect to external services
-
PXB ensures default
no_proxy
values are always appended to the givenno_proxy
list.
FAQs
Q: Can I use both Helm parameters and a proxy secret?
A: No, use anyone of the scenarios based on your proxy server
Q: Does this feature support proxy servers that use custom certificates?
A: Yes, this feature supports proxy servers configured with custom certificates.