Support for Proxy Environments in Portworx Backup

Most of the enterprise environments channelize all external communication to pass through a proxy server. To support such configurations, starting from version 2.9.0, PXB allows configuration of proxy settings using Helm values directly or via a Kubernetes Secret, whose name is provided through a Helm parameter

You can deploy and run PXB on any proxy-enabled Kubernetes cluster (PXB cluster) environments, allowing communication with external systems (like object storage, SMTP servers, and container registries) through an HTTP/HTTPS proxy. Also, PXB components and job pods route external communication such as backup uploads, registry access, and SMTP alerts through a designated HTTP/HTTPS proxy. This feature benefits organizations operating in private or secured networks where all outbound traffic must be routed through a centrally managed proxy.

Key capabilities

• Proxy support via Helm configuration: defines proxy settings directly using Helm values when the proxy server does not require authentication or certificate verification.

• Secure proxy support using Kubernetes secrets: enables safe handling of sensitive proxy data like credentials and custom CA certificates.

• Automatic injection of new environment variables: PXB components and job pods are automatically injected with the following standard proxy environment variables:

  • HTTP_PROXY: any outbound HTTP traffic will be routed through this URL (basically, the proxy server).

  • HTTPS_PROXY: any outbound HTTPS traffic will be routed through this URL (basically, the proxy server).

  • NO_PROXY: a list of destination addresses that should bypass the proxy.

  • And lowercase variants

• Automatic appending of default no_proxy values required for PXB communication.

Prerequisite

• Kubernetes cluster behind a corporate HTTP/HTTPS proxy

Supported scenarios

Scenario 1: Proxy without authentication or custom CA

In environments where the PXB cluster (cluster where PXB is deployed) is behind a proxy that does not require authentication or a custom certificate authority (CA), you can configure proxy settings directly through Helm parameters. No Kubernetes secret is needed for this setup.

Helm Configuration Example:

--set proxy.http="http://proxy.example.com", \
      proxy.https="http://proxy.example.com", \
      proxy.httpProxy.noProxy="px-backup.<pxb-namespace>\,<IPs-or-host-names-of-internal-service>\,<Node-CIDR>\,<Service-CIDR>"

Here <pxb-namespace> is the namespace where you want to deploy Portworx Backup or where you have already deployed it. If there are more than one host names or more IPs associated with internal services, you can add multiple values with comma separators and escape it with a slash.

For example, if you have deployed PXB in central namespace the sample command would look like this:

--set proxy.http="http://proxy.example.com", \
      proxy.https="http://proxy.example.com", \
      proxy.httpProxy.noProxy="px-backup.central\,<smtp-host-name>\,<backup-location-host-name>\,xxx.xx.xx.xx" 

By providing values to the following Helm parameters:

• proxy.http

• proxy.https

• proxy.httpProxy.noProxy

Helm automatically injects the necessary proxy-related environment variables into all PXB components and job pods on PXB cluster:

• HTTP_PROXY

• HTTPS_PROXY

• http_proxy

• https_proxy

• NO_PROXY

• no_proxy

note

PXB includes a default list of no_proxy entries essential for internal communication. These defaults will be appended to any values you provide in the NO_PROXY or no_proxy fields. This is handled automatically by the Helm template.

Scenario 2: Proxy with authentication or custom CA

If the user's PXB cluster is behind a proxy that requires authentication or uses a custom certificate authority (CA), sensitive proxy configuration details (such as credentials or CA content) should not be passed directly as Helm parameters. Instead, create a Kubernetes secret to securely store these values, and reference it in the Helm installation. To get started:

1. Create the proxy configuration secret:

   apiVersion: v1
   kind: Secret
   metadata:
     name: proxy-config
   type: Opaque
   stringData:
     HTTP_PROXY: http://<username>:<password>@proxy.example.com
     HTTPS_PROXY: https://<username>:<password>@proxy.example.com
     NO_PROXY: px-backup.<pxb-namespace>,<IPs-or-host-names-of-internal-services>,<Service-CIDR>,<Node-CIDR>
     CA: |
       -----BEGIN CERTIFICATE-----
       <base-64-encoded-alphanumeric-certificate-key>
       -----END CERTIFICATE-----

   Example:

   apiVersion: v1
   kind: Secret
   metadata:
     name: proxy-config
   type: Opaque
   stringData:
     HTTP_PROXY: http://<username>:<password>@proxy.example.com
     HTTPS_PROXY: https://<username>:<password>@proxy.example.com
     NO_PROXY: px-backup.central,<smtp-host-name>,<backup-location-host-name>,xxx.xx.xx.xx
     CA: |
       -----BEGIN CERTIFICATE-----
       <base-64-encoded-alphanumeric-certificate-key>
       -----END CERTIFICATE-----

2. Pass the secret name to Helm during install or upgrade with the following parameter:

   --set proxy.configSecretName="<config-secret-name>"

note

• Ensure that the API server endpoint of the application cluster is added to the no_proxy list during the px-backup deployment if the cluster is part of the internal network.

• A default list of no_proxy entries required by PXB is automatically appended to any user-provided values in NO_PROXY or no_proxy. PXB handles this with a pre-install/upgrade job.

• If both proxy.http/proxy.https Helm parameters and proxy.configSecretName are set, the Helm parameters take precedence over the Kubernetes secret.

Sample values.yaml

Case 1: Without custom certification/authentication

proxy:
  azureProxyEnabled: false
  excludeAzureProxyList: []
  includeNoProxyList: []
  httpProxy:
    noProxy: "px-backup.central,localhost,xxx.0.0.1,.svc,.cluster.local"
  http: http://proxy.example.com
  https: https://proxy.example.com

Case 2: With custom certification/authentication

proxy:
 configSecretName: "proxy-config"

Error handling

• If the specified secret does not exist, the PXB install or upgrade process fails

• If proxy settings are misconfigured, PXB components may fail to connect to external services

• PXB ensures default no_proxy values are always appended to the given no_proxy list.

FAQs

Q: Can I use both Helm parameters and a proxy secret?
A: No, use anyone of the scenarios based on your proxy server

Q: Does this feature support proxy servers that use custom certificates?
A: Yes, this feature supports proxy servers configured with custom certificates.

Related Topics

• Install Portworx Backup

• Upgrade Portworx Backup

• Kubernetes Secrets Overview

• Configure Stork for Proxy Server