Running kubeapps on a cluster behind proxy that requires to configure proxy ceriticate

[h-uchida-n]

I'd like to use kubeapps on k8s cluster behind a proxy and to refer helm repositories on the internnet (lile https://charts.bitnami.com/bitnami).
Regarding the proxy, proxy certificate should be installed/configured to use it.

how shold we configure kubeapps?

I've tried following configuration, but it didn't work.

• Each cluster nodes has already installed proxy certificate and configured http_proxy environment.
• Proxy configuration on web console was done. (as followings)

    containers:
      - env:
          - name: https_proxy
            value: '<proxy url>'
          - name: http_proxy
            value: '<proxy url>'
  

[andresmgot]

hi @h-uchida-n,

It's not clear to me if you have modified the AppRepository syncJobPodTemplate as explained here:

https://kubeapps.com/docs/private-app-repository/#modifying-the-synchronization-job

If you do so, you will be able to setup the http_proxy and https_proxy env variables:

spec:
  containers:
    - env:
        - name: https_proxy
          value: '<proxy url>'
        - name: http_proxy
          value: '<proxy url>'

Can you confirm if that works for you?

[h-uchida-n]

Hi @andresmgot , thank you for reply.

Previous post was not good to explain my environment, so I'll try again it below:

• Cluster which kubeapps installed is constructed in private LAN.
• All resources (server / container) should comunicate with the internet via a proxy.
• Following steps are required to use the proxy. (example for Ubuntu)
  1. # cp <ProxyServerCertificate.crt> /usr/share/ca-certificates
     <ProxyServerCertificate.crt> are provided by proxy sever.
  2. # sh -c "echo 'ZscalerRootCertificate.crt' >> /etc/ca-certificates.conf" add file path to /etc/ca-certificates.conf
  3. # update-ca-certificates

So I guess that above steps are required to use kubeapps in my environment.
Is there any way to do it with configuration? (without modify kubeapps container by myself)

---

Tried following steps but it showed error.

1. $ kubectl apply -f apprepo_bitnami.yaml

   apiVersion: kubeapps.com/v1alpha1
   kind: AppRepository
   metadata:
     name: bitnami2
     namespace: catalog-svc
   spec:
     syncJobPodTemplate:
       spec:
         containers:
           - env:
               - name: https_proxy
                 value: '<proxy url>'
               - name: http_proxy
                 value: '<proxy url>'
     url: https://charts.bitnami.com/bitnami/index.yaml
   

2. $ kubectl logs -n catalog-svc apprepo-catalog-svc-sync-bitnami2-59fmg-g6b22

   time="2020-11-05T10:42:09Z" level=error msg="error requesting repo index" error="Get https://charts.bitnami.com/bitnami/index.yaml/index.yaml: x509: certificate signed by unknown authority" url="https://charts.bitnami.com/bitnami/index.yaml/index.yaml"
   time="2020-11-05T10:42:09Z" level=fatal msg="Get https://charts.bitnami.com/bitnami/index.yaml/index.yaml: x509: certificate signed by unknown authority"
   

[andresmgot]

So I guess that above steps are required to use kubeapps in my environment.
Is there any way to do it with configuration? (without modify kubeapps container by myself)

Got it, yes, you can configure the AppRepository with a custom CA. In your case, you would need to paste the content of ProxyServerCertificate.crt in that field:

It's easier if you use the UI to create the AppRepository since it will automatically create the required secret with the crt content and configure everything. It will fail to validate the repo since the validation step doesn't use the http_proxy configuration but you can ignore the validation error. If you want to do it manually, you need to create the secret with that file manually and link it in the AppRepository specification.

  url: https://charts.bitnami.com/bitnami/index.yaml

time="2020-11-05T10:42:09Z" level=fatal msg="Get https://charts.bitnami.com/bitnami/index.yaml/index.yaml: x509: certificate signed by unknown authority"

Also note that you need to specify the URL without the index.yaml suffix, that's added automatically afterwards (note the double index.yaml in the URL).

[h-uchida-n]

Yes, it works for my environment. thank you.

However, I found a little strange case. I'll write the case in below.

Failure case

Added repository from command and added [Custom CA Certificate (optional)] from dashboard, it also showed a error as above and the error did not disappeared.

Success case

Added repository with [Custom CA Certificate (optional)] from Dashboad, it showed a error as follow but turned success after a while.

Validation Failed. Got:
Code: 400. Message: Get https://charts.bitnami.com/bitnami/index.yaml: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

[andresmgot]

hi @h-uchida-n,

Some jobs or cronjobs may have been running with the old setup, that's why you saw some errors, if eventually it worked it meas that the setup is properly configured.

Let me close this issue, please reopen it if you still find some trouble.