diff --git a/chart/README.md b/chart/README.md index 99668045..8c97fc4b 100644 --- a/chart/README.md +++ b/chart/README.md @@ -204,6 +204,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `accountsWww.containerSecurityContext.runAsUser` | Set accounts-www containers' Security Context runAsUser | `101` | | `accountsWww.containerSecurityContext.runAsNonRoot` | Set accounts-www containers' Security Context runAsNonRoot | `false` | | `accountsWww.containerSecurityContext.capabilities.drop` | removes accounts-www containers' Security Context capabilities | `["all"]` | +| `accountsWww.podDisruptionBudget.enabled` | defines disruption budget for accounts-www | `false` | +| `accountsWww.terminationGracePeriodSeconds` | Time to wait before force killing the container | `60` | | `accountsWww.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for accounts-www | `""` | | `accountsWww.existingSecret` | The name of an existing ConfigMap with your custom configuration for accounts-www | `""` | | `accountsWww.command` | Override default container command (useful when using custom images) | `[]` | @@ -305,6 +307,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `importApi.containerSecurityContext.runAsUser` | Set import-api containers' Security Context runAsUser | `1000` | | `importApi.containerSecurityContext.runAsNonRoot` | Set import-api containers' Security Context runAsNonRoot | `false` | | `importApi.containerSecurityContext.capabilities.drop` | removes import-api containers' Security Context capabilities | `["all"]` | +| `importApi.podDisruptionBudget.enabled` | defines disruption budget for import-api | `false` | +| `importApi.terminationGracePeriodSeconds` | Time to wait before force killing the container | `300` | | `importApi.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for import-api | `""` | | `importApi.existingSecret` | The name of an existing ConfigMap with your custom configuration for import-api | `""` | | `importApi.command` | Override default container command (useful when using custom images) | `[]` | @@ -374,6 +378,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `importWorker.containerSecurityContext.runAsUser` | Set import-worker containers' Security Context runAsUser | `1000` | | `importWorker.containerSecurityContext.runAsNonRoot` | Set import-worker containers' Security Context runAsNonRoot | `false` | | `importWorker.containerSecurityContext.capabilities.drop` | removes import-worker containers' Security Context capabilities | `["all"]` | +| `importWorker.podDisruptionBudget.enabled` | defines disruption budget for import-worker | `false` | +| `importWorker.terminationGracePeriodSeconds` | Time to wait before force killing the container | `3600` | | `importWorker.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for import-worker | `""` | | `importWorker.existingSecret` | The name of an existing ConfigMap with your custom configuration for import-worker | `""` | | `importWorker.command` | Override default container command (useful when using custom images) | `[]` | @@ -450,6 +456,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `ldsApi.containerSecurityContext.runAsUser` | Set lds-api containers' Security Context runAsUser | `1000` | | `ldsApi.containerSecurityContext.runAsNonRoot` | Set lds-api containers' Security Context runAsNonRoot | `false` | | `ldsApi.containerSecurityContext.capabilities.drop` | removes lds-api containers' Security Context capabilities | `["all"]` | +| `ldsApi.podDisruptionBudget.enabled` | defines disruption budget for lds-api | `false` | +| `ldsApi.terminationGracePeriodSeconds` | Time to wait before force killing the container | `60` | | `ldsApi.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for lds-api | `""` | | `ldsApi.existingSecret` | The name of an existing ConfigMap with your custom configuration for lds-api | `""` | | `ldsApi.command` | Override default container command (useful when using custom images) | `[]` | @@ -542,6 +550,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `mapsApi.containerSecurityContext.runAsUser` | Set maps-api containers' Security Context runAsUser | `1000` | | `mapsApi.containerSecurityContext.runAsNonRoot` | Set maps-api containers' Security Context runAsNonRoot | `false` | | `mapsApi.containerSecurityContext.capabilities.drop` | removes maps-api containers' Security Context capabilities | `["all"]` | +| `mapsApi.podDisruptionBudget.enabled` | defines disruption budget for maps-api | `false` | +| `mapsApi.terminationGracePeriodSeconds` | Time to wait before force killing the container | `600` | | `mapsApi.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for maps-api | `""` | | `mapsApi.existingSecret` | The name of an existing ConfigMap with your custom configuration for maps-api | `""` | | `mapsApi.command` | Override default container command (useful when using custom images) | `[]` | @@ -626,6 +636,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `sqlWorker.containerSecurityContext.runAsUser` | Set sql-worker containers' Security Context runAsUser | `1000` | | `sqlWorker.containerSecurityContext.runAsNonRoot` | Set sql-worker containers' Security Context runAsNonRoot | `false` | | `sqlWorker.containerSecurityContext.capabilities.drop` | removes sql-worker containers' Security Context capabilities | `["all"]` | +| `sqlWorker.podDisruptionBudget.enabled` | defines disruption budget for sql-worker | `false` | +| `sqlWorker.terminationGracePeriodSeconds` | Time to wait before force killing the container | `300` | | `sqlWorker.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for sql-worker | `""` | | `sqlWorker.existingSecret` | The name of an existing ConfigMap with your custom configuration for sql-worker | `""` | | `sqlWorker.command` | Override default container command (useful when using custom images) | `[]` | @@ -701,6 +713,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `router.containerSecurityContext.runAsUser` | Set router containers' Security Context runAsUser | `101` | | `router.containerSecurityContext.runAsNonRoot` | Set router containers' Security Context runAsNonRoot | `false` | | `router.containerSecurityContext.capabilities.drop` | removes router containers' Security Context capabilities | `["all"]` | +| `router.podDisruptionBudget.enabled` | defines disruption budget for router | `false` | +| `router.terminationGracePeriodSeconds` | Time to wait before force killing the container | `600` | | `router.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for router | `""` | | `router.existingSecret` | The name of an existing ConfigMap with your custom configuration for router | `""` | | `router.command` | Override default container command (useful when using custom images) | `[]` | @@ -811,6 +825,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `httpCache.containerSecurityContext.runAsUser` | Set http-cache containers' Security Context runAsUser | `101` | | `httpCache.containerSecurityContext.runAsNonRoot` | Set http-cache containers' Security Context runAsNonRoot | `false` | | `httpCache.containerSecurityContext.capabilities.drop` | removes http-cache containers' Security Context capabilities | `["all"]` | +| `httpCache.podDisruptionBudget.enabled` | defines disruption budget for http-cache | `false` | +| `httpCache.terminationGracePeriodSeconds` | Time to wait before force killing the container | `600` | | `httpCache.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for http-cache | `""` | | `httpCache.existingSecret` | The name of an existing ConfigMap with your custom configuration for http-cache | `""` | | `httpCache.command` | Override default container command (useful when using custom images) | `[]` | @@ -905,6 +921,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `notifier.containerSecurityContext.runAsUser` | Set notifier containers' Security Context runAsUser | `101` | | `notifier.containerSecurityContext.runAsNonRoot` | Set notifier containers' Security Context runAsNonRoot | `false` | | `notifier.containerSecurityContext.capabilities.drop` | removes notifier containers' Security Context capabilities | `["all"]` | +| `notifier.podDisruptionBudget.enabled` | defines disruption budget for notifier | `false` | +| `notifier.terminationGracePeriodSeconds` | Time to wait before force killing the container | `60` | | `notifier.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for notifier | `""` | | `notifier.existingSecret` | The name of an existing ConfigMap with your custom configuration for notifier | `""` | | `notifier.command` | Override default container command (useful when using custom images) | `[]` | @@ -1004,6 +1022,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `cdnInvalidatorSub.containerSecurityContext.runAsUser` | Set cdnInvalidatorSub containers' Security Context runAsUser | `1000` | | `cdnInvalidatorSub.containerSecurityContext.runAsNonRoot` | Set cdnInvalidatorSub containers' Security Context runAsNonRoot | `false` | | `cdnInvalidatorSub.containerSecurityContext.capabilities.drop` | removes cdnInvalidatorSub containers' Security Context capabilities | `["all"]` | +| `cdnInvalidatorSub.podDisruptionBudget.enabled` | defines disruption budget for cdn-invalidator-sub | `false` | +| `cdnInvalidatorSub.terminationGracePeriodSeconds` | Time to wait before force killing the container | `300` | | `cdnInvalidatorSub.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for cdnInvalidatorSub | `""` | | `cdnInvalidatorSub.existingSecret` | The name of an existing ConfigMap with your custom configuration for cdnInvalidatorSub | `""` | | `cdnInvalidatorSub.command` | Override default container command (useful when using custom images) | `[]` | @@ -1097,6 +1117,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `workspaceApi.containerSecurityContext.runAsUser` | Set workspace-api containers' Security Context runAsUser | `1000` | | `workspaceApi.containerSecurityContext.runAsNonRoot` | Set workspace-api containers' Security Context runAsNonRoot | `false` | | `workspaceApi.containerSecurityContext.capabilities.drop` | removes workspace-api containers' Security Context capabilities | `["all"]` | +| `workspaceApi.podDisruptionBudget.enabled` | defines disruption budget for workspace-api | `false` | +| `workspaceApi.terminationGracePeriodSeconds` | Time to wait before force killing the container | `300` | | `workspaceApi.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for workspace-api | `""` | | `workspaceApi.existingSecret` | The name of an existing ConfigMap with your custom configuration for workspace-api | `""` | | `workspaceApi.command` | Override default container command (useful when using custom images) | `[]` | @@ -1166,6 +1188,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `workspaceSubscriber.containerSecurityContext.runAsUser` | Set workspace-subscriber containers' Security Context runAsUser | `1000` | | `workspaceSubscriber.containerSecurityContext.runAsNonRoot` | Set workspace-subscriber containers' Security Context runAsNonRoot | `false` | | `workspaceSubscriber.containerSecurityContext.capabilities.drop` | removes workspace-subscriber containers' Security Context capabilities | `["all"]` | +| `workspaceSubscriber.podDisruptionBudget.enabled` | defines disruption budget for workspace-subscriber | `false` | +| `workspaceSubscriber.terminationGracePeriodSeconds` | Time to wait before force killing the container | `300` | | `workspaceSubscriber.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for workspace-subscriber | `""` | | `workspaceSubscriber.existingSecret` | The name of an existing ConfigMap with your custom configuration for workspace-subscriber | `""` | | `workspaceSubscriber.command` | Override default container command (useful when using custom images) | `[]` | @@ -1240,6 +1264,8 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `workspaceWww.containerSecurityContext.runAsUser` | Set workspace-www containers' Security Context runAsUser | `101` | | `workspaceWww.containerSecurityContext.runAsNonRoot` | Set workspace-www containers' Security Context runAsNonRoot | `false` | | `workspaceWww.containerSecurityContext.capabilities.drop` | removes workspace-www containers' Security Context capabilities | `["all"]` | +| `workspaceWww.podDisruptionBudget.enabled` | defines disruption budget for workspace-www | `false` | +| `workspaceWww.terminationGracePeriodSeconds` | Time to wait before force killing the container | `60` | | `workspaceWww.existingConfigMap` | The name of an existing ConfigMap with your custom configuration for workspace-www | `""` | | `workspaceWww.existingSecret` | The name of an existing ConfigMap with your custom configuration for workspace-www | `""` | | `workspaceWww.command` | Override default container command (useful when using custom images) | `[]` | @@ -1378,6 +1404,21 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `externalPostgresql.sslCA` | CA certificate in case CARTO Postgresql TLS cert it's selfsigned | `""` | +### External proxy configuration + +| Name | Description | Value | +| ------------------------------------- | ---------------------------------------------------------------------------------------- | ------- | +| `externalProxy.enabled` | Whether the APIs will use an external proxy or not | `false` | +| `externalProxy.host` | Proxy host | `""` | +| `externalProxy.port` | Proxy port | `""` | +| `externalProxy.type` | Proxy type. Only HTTP and HTTPS proxies are supported | `""` | +| `externalProxy.username` | Proxy username (if required) | `nil` | +| `externalProxy.password` | Proxy password (if required) | `nil` | +| `externalProxy.excludedDomains` | List of domains that will bypass the proxy | `[]` | +| `externalProxy.sslRejectUnauthorized` | Whether or not verify the HTTPS proxy SSL certificate | `true` | +| `externalProxy.sslCA` | CA for the proxy SSL certificate in case is self-signed or signed by a not well-known CA | `""` | + + ### Upgrade Check pre hook parameters | Name | Description | Value | @@ -1400,6 +1441,11 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `upgradeCheck.containerSecurityContext.capabilities.drop` | removes Upgrade Check pre-hook containers' Security Context capabilities | `["all"]` | +### router-metrics parameters + + + + ### routerMetrics container parametres | Name | Description | Value | @@ -1421,6 +1467,7 @@ To install, upgrade or uninstall this chart, please refer to [the root README.md | `routerMetrics.containerSecurityContext.runAsUser` | Set router-metrics containers' Security Context runAsUser | `1000` | | `routerMetrics.containerSecurityContext.runAsNonRoot` | Set router-metrics containers' Security Context runAsNonRoot | `false` | | `routerMetrics.containerSecurityContext.capabilities.drop` | removes router-metrics containers' Security Context capabilities | `["all"]` | +| `routerMetrics.podDisruptionBudget.enabled` | defines disruption budget for router-metrics | `false` | | `routerMetrics.containerPorts.http` | routerMetrics HTTP container port | `5447` | | `routerMetrics.livenessProbe.enabled` | Enable livenessProbe on router containers | `false` | | `routerMetrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl index e1d48846..92e43ec6 100644 --- a/chart/templates/_helpers.tpl +++ b/chart/templates/_helpers.tpl @@ -1337,3 +1337,39 @@ Return the proper Carto upgrade check image name {{- define "carto.upgradeCheck.image" -}} {{- include "carto.images.image" (dict "imageRoot" .Values.upgradeCheck.image "global" .Values.global "Chart" .Chart) -}} {{- end -}} + +{{/* +Add environment variables to configure proxy values +FIXME: Add support for user and password +*/}} +{{- define "carto.proxy.connectionString" -}} +{{- printf "%s://%s:%d" (lower .Values.externalProxy.type) .Values.externalProxy.host (int .Values.externalProxy.port) -}} +{{- end -}} + +{{/* +Get the proxy config map name +*/}} +{{- define "carto.proxy.configMapName" -}} +{{- printf "%s-%s" .Release.Name "externalproxy" -}} +{{- end -}} + +{{/* +Return the directory where the proxy CA cert will be mounted +*/}} +{{- define "carto.proxy.configMapMountDir" -}} +{{- print "/usr/src/certs/proxy-ssl-ca" -}} +{{- end -}} + +{{/* +Return the filename where the proxy CA will be mounted +*/}} +{{- define "carto.proxy.configMapMountFilename" -}} +{{- print "ca.crt" -}} +{{- end -}} + +{{/* +Return the absolute path where the proxy CA cert will be mounted +*/}} +{{- define "carto.proxy.configMapMountAbsolutePath" -}} +{{- printf "%s/%s" (include "carto.proxy.configMapMountDir" .) (include "carto.proxy.configMapMountFilename" .) -}} +{{- end -}} diff --git a/chart/templates/cdn-invalidator-sub/configmap.yaml b/chart/templates/cdn-invalidator-sub/configmap.yaml index 4e482f39..8cc77410 100644 --- a/chart/templates/cdn-invalidator-sub/configmap.yaml +++ b/chart/templates/cdn-invalidator-sub/configmap.yaml @@ -24,4 +24,20 @@ data: GOOGLE_APPLICATION_CREDENTIALS: {{ include "carto.google.secretMountAbsolutePath" . }} {{- end }} PUBSUB_PROJECT_ID: {{ .Values.cartoConfigValues.selfHostedGcpProjectId | quote }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/cdn-invalidator-sub/deployment.yaml b/chart/templates/cdn-invalidator-sub/deployment.yaml index 0b6ef2bf..e0e21005 100644 --- a/chart/templates/cdn-invalidator-sub/deployment.yaml +++ b/chart/templates/cdn-invalidator-sub/deployment.yaml @@ -163,6 +163,11 @@ spec: - name: gcp-default-service-account-key mountPath: {{ include "carto.google.secretMountDir" . }} readOnly: true + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.cdnInvalidatorSub.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.cdnInvalidatorSub.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -176,6 +181,11 @@ spec: items: - key: {{ include "carto.google.secretKey" . }} path: {{ include "carto.google.secretMountFilename" . }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.cdnInvalidatorSub.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.cdnInvalidatorSub.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/externalproxy-configmap.yaml b/chart/templates/externalproxy-configmap.yaml new file mode 100644 index 00000000..0006b3c0 --- /dev/null +++ b/chart/templates/externalproxy-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "carto.proxy.configMapName" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace | quote }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{ include "carto.proxy.configMapMountFilename" . }}: {{ .Values.externalProxy.sslCA | quote }} +{{- end }} diff --git a/chart/templates/import-api/configmap.yaml b/chart/templates/import-api/configmap.yaml index 10dcbad9..7ded33e1 100644 --- a/chart/templates/import-api/configmap.yaml +++ b/chart/templates/import-api/configmap.yaml @@ -57,4 +57,20 @@ data: {{- if eq .Values.appConfigValues.storageProvider "azure-blob" }} IMPORT_STORAGE_ACCOUNT: {{ .Values.appConfigValues.azureStorageAccount | quote }} {{- end }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/import-api/deployment.yaml b/chart/templates/import-api/deployment.yaml index e629d364..7a0b5727 100644 --- a/chart/templates/import-api/deployment.yaml +++ b/chart/templates/import-api/deployment.yaml @@ -201,6 +201,11 @@ spec: mountPath: {{ include "carto.redis.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.importApi.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.importApi.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -232,6 +237,11 @@ spec: configMap: name: {{ include "carto.redis.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.importApi.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.importApi.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/import-worker/configmap.yaml b/chart/templates/import-worker/configmap.yaml index 6bfe4b59..cc06ad4c 100644 --- a/chart/templates/import-worker/configmap.yaml +++ b/chart/templates/import-worker/configmap.yaml @@ -53,4 +53,20 @@ data: {{- if eq .Values.appConfigValues.storageProvider "azure-blob" }} IMPORT_STORAGE_ACCOUNT: {{ .Values.appConfigValues.azureStorageAccount | quote }} {{- end }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/import-worker/deployment.yaml b/chart/templates/import-worker/deployment.yaml index 9750fe62..5e84b2ca 100644 --- a/chart/templates/import-worker/deployment.yaml +++ b/chart/templates/import-worker/deployment.yaml @@ -176,6 +176,11 @@ spec: mountPath: {{ include "carto.postgresql.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.importWorker.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.importWorker.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -202,6 +207,11 @@ spec: configMap: name: {{ include "carto.postgresql.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.importWorker.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.importWorker.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/lds-api/configmap.yaml b/chart/templates/lds-api/configmap.yaml index 8ecf0756..55671616 100644 --- a/chart/templates/lds-api/configmap.yaml +++ b/chart/templates/lds-api/configmap.yaml @@ -41,4 +41,20 @@ data: WORKSPACE_POSTGRES_SSL_CA: {{ include "carto.postgresql.configMapMountAbsolutePath" . }} {{- end }} LDS_TENANT_ID: {{ .Values.cartoConfigValues.selfHostedTenantId | quote }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/lds-api/deployment.yaml b/chart/templates/lds-api/deployment.yaml index 41808c4b..057c9cff 100644 --- a/chart/templates/lds-api/deployment.yaml +++ b/chart/templates/lds-api/deployment.yaml @@ -186,6 +186,11 @@ spec: mountPath: {{ include "carto.redis.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.ldsApi.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.ldsApi.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -209,6 +214,11 @@ spec: configMap: name: {{ include "carto.redis.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.ldsApi.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.ldsApi.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/maps-api/configmap.yaml b/chart/templates/maps-api/configmap.yaml index 5efc264d..4549e10b 100644 --- a/chart/templates/maps-api/configmap.yaml +++ b/chart/templates/maps-api/configmap.yaml @@ -48,4 +48,20 @@ data: {{- if and .Values.externalPostgresql.sslEnabled .Values.externalPostgresql.sslCA }} WORKSPACE_POSTGRES_SSL_CA: {{ include "carto.postgresql.configMapMountAbsolutePath" . }} {{- end }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/maps-api/deployment.yaml b/chart/templates/maps-api/deployment.yaml index e0401028..f49b33b9 100644 --- a/chart/templates/maps-api/deployment.yaml +++ b/chart/templates/maps-api/deployment.yaml @@ -188,6 +188,11 @@ spec: mountPath: {{ include "carto.redis.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.mapsApi.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.mapsApi.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -211,6 +216,11 @@ spec: configMap: name: {{ include "carto.redis.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.mapsApi.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.mapsApi.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/router/configmap.yaml b/chart/templates/router/configmap.yaml index 0b4cdad9..f35877cf 100644 --- a/chart/templates/router/configmap.yaml +++ b/chart/templates/router/configmap.yaml @@ -34,4 +34,20 @@ data: ROUTER_METRICS_PUBSUB_TOPIC: "data-updates" ROUTER_METRICS_HOST: "localhost" ROUTER_METRICS_PUBSUB_SUBSCRIPTION_FILTER: "aggregated-selfhosted-metrics" + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/sql-worker/configmap.yaml b/chart/templates/sql-worker/configmap.yaml index 1382a509..efc42e01 100644 --- a/chart/templates/sql-worker/configmap.yaml +++ b/chart/templates/sql-worker/configmap.yaml @@ -47,4 +47,20 @@ data: WORKSPACE_POSTGRES_SSL_CA: {{ include "carto.postgresql.configMapMountAbsolutePath" . }} {{- end }} WORKSPACE_TENANT_ID: {{ .Values.cartoConfigValues.selfHostedTenantId | quote }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/sql-worker/deployment.yaml b/chart/templates/sql-worker/deployment.yaml index be4d3f67..b20e5810 100644 --- a/chart/templates/sql-worker/deployment.yaml +++ b/chart/templates/sql-worker/deployment.yaml @@ -161,6 +161,11 @@ spec: mountPath: {{ include "carto.postgresql.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.sqlWorker.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.sqlWorker.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -187,6 +192,11 @@ spec: configMap: name: {{ include "carto.postgresql.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.sqlWorker.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.sqlWorker.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/workspace-api/configmap.yaml b/chart/templates/workspace-api/configmap.yaml index d193e4bb..1f8bc386 100644 --- a/chart/templates/workspace-api/configmap.yaml +++ b/chart/templates/workspace-api/configmap.yaml @@ -86,4 +86,20 @@ data: WORKSPACE_THUMBNAILS_STORAGE_ACCOUNT: {{ .Values.appConfigValues.azureStorageAccount | quote }} WORKSPACE_IMPORTS_STORAGE_ACCOUNT: {{ .Values.appConfigValues.azureStorageAccount | quote }} {{- end }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/workspace-api/deployment.yaml b/chart/templates/workspace-api/deployment.yaml index a85582c3..37ed542e 100644 --- a/chart/templates/workspace-api/deployment.yaml +++ b/chart/templates/workspace-api/deployment.yaml @@ -279,6 +279,11 @@ spec: mountPath: {{ include "carto.redis.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.workspaceApi.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.workspaceApi.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -310,6 +315,11 @@ spec: configMap: name: {{ include "carto.redis.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.workspaceApi.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.workspaceApi.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/templates/workspace-subscriber/configmap.yaml b/chart/templates/workspace-subscriber/configmap.yaml index 302bf1c5..d01d9073 100644 --- a/chart/templates/workspace-subscriber/configmap.yaml +++ b/chart/templates/workspace-subscriber/configmap.yaml @@ -55,4 +55,20 @@ data: WORKSPACE_PUBSUB_TENANT_BUS_TOPIC: "projects/{{ .Values.cartoConfigValues.selfHostedGcpProjectId }}/topics/tenant-bus" WORKSPACE_TENANT_ID: {{ .Values.cartoConfigValues.selfHostedTenantId | quote }} WORKSPACE_THUMBNAILS_BUCKET: {{ .Values.appConfigValues.workspaceThumbnailsBucket | quote }} + {{- if .Values.externalProxy.enabled }} + HTTP_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + http_proxy: {{ include "carto.proxy.connectionString" . | quote }} + HTTPS_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + https_proxy: {{ include "carto.proxy.connectionString" . | quote }} + GRPC_PROXY: {{ include "carto.proxy.connectionString" . | quote }} + grpc_proxy: {{ include "carto.proxy.connectionString" . | quote }} + NODE_TLS_REJECT_UNAUTHORIZED: {{ ternary "1" "0" .Values.externalProxy.sslRejectUnauthorized | quote }} + {{- if gt (len .Values.externalProxy.excludedDomains) 0 }} + NO_PROXY: {{ join "," .Values.externalProxy.excludedDomains | quote }} + no_proxy: {{ join "," .Values.externalProxy.excludedDomains | quote }} + {{- end }} + {{- if .Values.externalProxy.sslCA }} + NODE_EXTRA_CA_CERTS: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/chart/templates/workspace-subscriber/deployment.yaml b/chart/templates/workspace-subscriber/deployment.yaml index a50017ce..3d7539d2 100644 --- a/chart/templates/workspace-subscriber/deployment.yaml +++ b/chart/templates/workspace-subscriber/deployment.yaml @@ -173,6 +173,11 @@ spec: mountPath: {{ include "carto.redis.configMapMountDir" . }} readOnly: true {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + mountPath: {{ include "carto.proxy.configMapMountDir" . }} + readOnly: true + {{- end }} {{- if .Values.workspaceSubscriber.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.workspaceSubscriber.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -196,6 +201,11 @@ spec: configMap: name: {{ include "carto.redis.configMapName" . }} {{- end }} + {{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }} + - name: proxy-ssl-ca + configMap: + name: {{ include "carto.proxy.configMapName" . }} + {{- end }} {{- if .Values.workspaceSubscriber.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.workspaceSubscriber.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index ca2b6829..c9bfd131 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -51,6 +51,7 @@ cartoConfigValues: selfHostedTenantId: "" ## @param cartoConfigValues.launchDarklyClientSideId LaunchDarkly ClientSideId (by www) used to enable/disable features. launchDarklyClientSideId: "" + ## @section App secret ## Global secrets to be edited by the client appSecrets: @@ -418,7 +419,7 @@ accountsWww: capabilities: drop: - all - ## @param accountsWww.podDisruptionBudget defines disruption budget for accounts-www + ## @param accountsWww.podDisruptionBudget.enabled defines disruption budget for accounts-www ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -750,7 +751,7 @@ importApi: capabilities: drop: - all - ## @param importApi.podDisruptionBudget defines disruption budget for import-api + ## @param importApi.podDisruptionBudget.enabled defines disruption budget for import-api ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -1009,7 +1010,7 @@ importWorker: capabilities: drop: - all - ## @param importWorker.podDisruptionBudget defines disruption budget for import-worker + ## @param importWorker.podDisruptionBudget.enabled defines disruption budget for import-worker ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -1282,7 +1283,7 @@ ldsApi: capabilities: drop: - all - ## @param ldsApi.podDisruptionBudget defines disruption budget for lds-api + ## @param ldsApi.podDisruptionBudget.enabled defines disruption budget for lds-api ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -1601,7 +1602,7 @@ mapsApi: capabilities: drop: - all - ## @param mapsApi.podDisruptionBudget defines disruption budget for maps-api + ## @param mapsApi.podDisruptionBudget.enabled defines disruption budget for maps-api ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -1895,7 +1896,7 @@ sqlWorker: capabilities: drop: - all - ## @param sqlWorker.podDisruptionBudget defines disruption budget for sql-worker + ## @param sqlWorker.podDisruptionBudget.enabled defines disruption budget for sql-worker ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -2164,7 +2165,7 @@ router: capabilities: drop: - all - ## @param router.podDisruptionBudget defines disruption budget for router + ## @param router.podDisruptionBudget.enabled defines disruption budget for router ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -2570,7 +2571,7 @@ httpCache: capabilities: drop: - all - ## @param httpCache.podDisruptionBudget defines disruption budget for http-cache + ## @param httpCache.podDisruptionBudget.enabled defines disruption budget for http-cache ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -2890,7 +2891,7 @@ notifier: capabilities: drop: - all - ## @param notifier.podDisruptionBudget defines disruption budget for notifier + ## @param notifier.podDisruptionBudget.enabled defines disruption budget for notifier ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -3213,7 +3214,7 @@ cdnInvalidatorSub: capabilities: drop: - all - ## @param cdnInvalidatorSub.podDisruptionBudget defines disruption budget for cdn-invalidator-sub + ## @param cdnInvalidatorSub.podDisruptionBudget.enabled defines disruption budget for cdn-invalidator-sub ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -3534,7 +3535,7 @@ workspaceApi: capabilities: drop: - all - ## @param workspaceApi.podDisruptionBudget defines disruption budget for workspace-api + ## @param workspaceApi.podDisruptionBudget.enabled defines disruption budget for workspace-api ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -3794,7 +3795,7 @@ workspaceSubscriber: capabilities: drop: - all - ## @param workspaceSubscriber.podDisruptionBudget defines disruption budget for workspace-subscriber + ## @param workspaceSubscriber.podDisruptionBudget.enabled defines disruption budget for workspace-subscriber ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -4061,7 +4062,7 @@ workspaceWww: capabilities: drop: - all - ## @param workspaceWww.podDisruptionBudget defines disruption budget for workspace-www + ## @param workspaceWww.podDisruptionBudget.enabled defines disruption budget for workspace-www ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: @@ -4444,6 +4445,24 @@ externalPostgresql: sslEnabled: false sslCA: "" +## @section External proxy configuration +## Configuration for an external proxy provided by the client. Only HTTP and HTTPS proxies are supported +externalProxy: + ## @param externalProxy.enabled Whether the APIs will use an external proxy or not + enabled: false + ## @param externalProxy.host Proxy host + host: "" + ## @param externalProxy.port Proxy port + port: "" + ## @param externalProxy.type Proxy type. Only HTTP and HTTPS proxies are supported + type: "" + ## @param externalProxy.excludedDomains List of domains that should not be proxied + excludedDomains: [] + ## @param externalProxy.sslRejectUnauthorized Whether or not verify the HTTPS proxy SSL certificate + sslRejectUnauthorized: true + ## @param externalProxy.sslCA CA for the proxy SSL certificate in case is self-signed or signed by a not well-known CA + sslCA: "" + ## @section Upgrade Check pre hook parameters ## @param upgradeCheck.enabled upgradeCheck will run or not upgradeCheck: @@ -4582,7 +4601,7 @@ routerMetrics: capabilities: drop: - all - ## @param routerMetrics.podDisruptionBudget defines disruption budget for router-metrics + ## @param routerMetrics.podDisruptionBudget.enabled defines disruption budget for router-metrics ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ ## podDisruptionBudget: diff --git a/customizations/README.md b/customizations/README.md index beb720b7..f4712cfc 100644 --- a/customizations/README.md +++ b/customizations/README.md @@ -26,6 +26,7 @@ - [Setup Redis creating secrets](#setup-redis-creating-secrets) - [Setup Redis with automatic secret creation](#setup-redis-with-automatic-secret-creation) - [Configure Redis TLS](#configure-redis-tls) + - [Configure external proxy](#configure-external-proxy) - [Custom Buckets](#custom-buckets) - [Pre-requisites](#pre-requisites) - [Google Cloud Storage](#google-cloud-storage) @@ -647,6 +648,18 @@ externalRedis: # -----END CERTIFICATE----- ``` +### Configure external proxy + +CARTO stack supports working behind a HTTP/HTTPS proxy. This proxy is used to connect to external services like Google APIs, Mapbox, etc. + +You can find customizations examples for different proxies in the [proxy](./proxy/) directory. + +The `externalProxy.excludedDomains` property can contain a list of all the domains that shouldn't be proxied. This is useful for example to avoid proxying the internal services like the internal Redis or Postgresql. + +```yaml + +> :warning: Your proxy user/password credentials will appear in clear text in the environment variables of the CARTO stack components + ### Custom Buckets For every CARTO Self Hosted installation, we create GCS buckets on our side as part of the required infrastructure for importing data, map thumbnails and customization assets (custom logos and markers). @@ -1376,14 +1389,14 @@ If you need to open a support ticket, please execute our [carto-support-tool](.. If you face a problem like the one below while you are updating your CARTO selfhosted installation``` ```bash -helm upgrade my-release carto/carto --namespace my namespace -f carto-values.yaml -f carto-secrets.yaml -f customizations.yml +helm upgrade my-release carto/carto --namespace my namespace -f carto-values.yaml -f carto-secrets.yaml -f customizations.yml Error: UPGRADE FAILED: another operation (install/upgrade/rollback) is in progress ``` Probably an upgrade operation wasn't killed gracefully. The fix is to rollback to a previous deployment: ```bash -helm history my-release +helm history my-release REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 19 Fri Aug 26 11:10:20 2022 superseded carto-1.40.6-beta 2022.8.19-2 Upgrade complete @@ -1396,10 +1409,10 @@ REVISION UPDATED STATUS CHART APP VERSION 26 Fri Sep 30 14:14:29 2022 superseded carto-1.42.10-beta 2022.9.28 Upgrade complete 27 Fri Sep 30 14:37:41 2022 deployed carto-1.42.10-beta 2022.9.28 Upgrade complete 28 Fri Sep 30 15:07:06 2022 pending-upgrade carto-1.42.10-beta 2022.9.28 Preparing upgrade -helm rollback my-release 27 +helm rollback my-release 27 Rollback was a success! Happy Helming! -helm history my-release +helm history my-release REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 20 Fri Sep 16 12:00:57 2022 superseded carto-1.42.1-beta 2022.9.16 Upgrade complete @@ -1412,5 +1425,5 @@ REVISION UPDATED STATUS CHART APP VERSION 27 Fri Sep 30 14:37:41 2022 superseded carto-1.42.10-beta 2022.9.28 Upgrade complete 28 Fri Sep 30 15:07:06 2022 pending-upgrade carto-1.42.10-beta 2022.9.28 Preparing upgrade 29 Tue Oct 4 10:58:22 2022 deployed carto-1.42.10-beta 2022.9.28 Rollback to 27 -``` +``` Now you can run the upgrade operation again diff --git a/customizations/proxy/http/customizations.yaml b/customizations/proxy/http/customizations.yaml new file mode 100644 index 00000000..5e81f3c5 --- /dev/null +++ b/customizations/proxy/http/customizations.yaml @@ -0,0 +1,6 @@ +externalProxy: + enabled: true + host: + port: + type: http + excludedDomains: [] \ No newline at end of file diff --git a/customizations/proxy/https/customizations.yaml b/customizations/proxy/https/customizations.yaml new file mode 100644 index 00000000..ff386586 --- /dev/null +++ b/customizations/proxy/https/customizations.yaml @@ -0,0 +1,13 @@ +externalProxy: + enabled: true + host: + port: + type: https + excludedDomains: [] + # Whether or not verify the proxy SSL certificate + sslRejectUnauthorized: false + # Only applies for self-signed SSL certificates or not well-known CAs + # sslCA: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- \ No newline at end of file