Support for Proxy Environments in Portworx Backup

Most of the enterprise environments channelize all external communication to pass through a proxy server. To support such configurations, starting from version 2.9.0, PXB allows configuration of proxy settings using Helm values directly or via a Kubernetes Secret, whose name is provided through a Helm parameter

You can deploy and run PXB on any proxy-enabled Kubernetes cluster (PXB cluster) environments, allowing communication with external systems (like object storage, SMTP servers, and container registries) through an HTTP/HTTPS proxy. Also, PXB components and job pods route external communication such as backup uploads, registry access, and SMTP alerts through a designated HTTP/HTTPS proxy. This feature benefits organizations operating in private or secured networks where all outbound traffic must be routed through a centrally managed proxy.

Key capabilities

• Proxy support via Helm configuration: defines proxy settings directly using Helm values when the proxy server does not require authentication or certificate verification.

• Secure proxy support using Kubernetes secrets: enables safe handling of sensitive proxy data like credentials and custom CA certificates.

• Automatic injection of new environment variables: PXB components and job pods are automatically injected with the following standard proxy environment variables:

  • HTTP_PROXY: any outbound HTTP traffic will be routed through this URL (basically, the proxy server).

  • HTTPS_PROXY: any outbound HTTPS traffic will be routed through this URL (basically, the proxy server).

  • NO_PROXY: a list of destination addresses that should bypass the proxy.

  • And lowercase variants

• Automatic appending of default no_proxy values required for PXB communication.

Prerequisite

• Kubernetes cluster behind a corporate HTTP/HTTPS proxy

Supported scenarios

Scenario 1: Proxy without authentication or custom CA

In environments where the PXB cluster (cluster where PXB is deployed) is behind a proxy that does not require authentication or a custom certificate authority (CA), you can configure proxy settings directly through Helm parameters. No Kubernetes secret is needed for this setup.

Helm Configuration Example:

--set proxy.http="http://proxy.example.com", \
      proxy.https="http://proxy.example.com", \
      proxy.httpProxy.noProxy="abc.com\,bl.com\,xxx.x.x.x"

By providing values to the following Helm parameters:

• proxy.http

• proxy.https

• proxy.httpProxy.noProxy

Helm automatically injects the necessary proxy-related environment variables into all PXB components and job pods on PXB cluster:

• HTTP_PROXY

• HTTPS_PROXY

• http_proxy

• https_proxy

• NO_PROXY

• no_proxy

note

PXB includes a default list of no_proxy entries essential for internal communication. These defaults will be appended to any values you provide in the NO_PROXY or no_proxy fields. This is handled automatically by the Helm template.

Scenario 2: Proxy with authentication or custom CA

If the user's PXB cluster is behind a proxy that requires authentication or uses a custom certificate authority (CA), sensitive proxy configuration details (such as credentials or CA content) should not be passed directly as Helm parameters. Instead, create a Kubernetes secret to securely store these values, and reference it in the Helm installation. To get started:

1. Create the proxy configuration secret:

   apiVersion: v1
   kind: Secret
   metadata:
     name: proxy-config
   type: Opaque
   stringData:
     HTTP_PROXY: http://<username>:<password>@proxy.example.com
     HTTPS_PROXY: https://<username>:<password>@proxy.example.com
     NO_PROXY: localhost,127.0.0.1,.svc,.cluster.local
     CA: |
       -----BEGIN CERTIFICATE-----
       <base-64-encoded-alphanumeric-certificate-key>
       -----END CERTIFICATE-----

2. Pass the secret name to Helm during install or upgrade with the following parameter:

   --set proxy.configSecretName="<config-secret-name>"

note

• Ensure that the API server endpoint of the application cluster is added to the no_proxy list during the px-backup deployment if the cluster is part of the internal network.

• A default list of no_proxy entries required by PXB is automatically appended to any user-provided values in NO_PROXY or no_proxy. PXB handles this with a pre-install/upgrade job.

• If both proxy.http/proxy.https Helm parameters and proxy.configSecretName are set, the Helm parameters take precedence over the Kubernetes secret.

Sample values.yaml

Case 1: Without custom certification/authentication

proxy:
  azureProxyEnabled: false
  excludeAzureProxyList: []
  includeNoProxyList: []
  httpProxy:
    noProxy: "localhost,xxx.0.0.1,.svc,.cluster.local"
  http: http://proxy.example.com
  https: https://proxy.example.com

Case 2: With custom certification/authentication

proxy:
 configSecretName: "proxy-config"

Error handling

• If the specified secret does not exist, the PXB install or upgrade process fails

• If proxy settings are misconfigured, PXB components may fail to connect to external services

• PXB ensures default no_proxy values are always appended to the given no_proxy list.

FAQs

Q: Can I use both Helm parameters and a proxy secret?
A: No, use anyone of the scenarios based on your proxy server

Q: Does this feature support proxy servers that use custom certificates?
A: Yes, this feature supports proxy servers configured with custom certificates.

Related Topics

• Install Portworx Backup

• Upgrade Portworx Backup

• Kubernetes Secrets Overview

• Configure Stork for Proxy Server