HTTP Proxy

Production or corporate environments can deny direct access to the Internet, and mandates egress traffic to go through an HTTP or HTTPS proxy.

The Camel K operator can be configured to route egress traffic to this proxy, by setting the usual HTTP_PROXY, HTTPS_PROXY, and NO_PROXY on the operator Deployment.

This can be achieved with the Kamel CLI, at installation time, e.g.:

$ kamel install --operator-env-vars=HTTP_PROXY=http://proxy

Alternatively, the operator Deployment can be amended with the kubectl CLI, e.g.:

$ kubectl set env deployment camel-k-operator HTTP_PROXY=http://proxy

The HTTP_PROXY and HTTPS_PROXY environment variable values expect URLs following the http://[<username>[:<pswd>]@]<host>[:<port>] format, e.g.:

HTTP_PROXY=http://proxy.corp.tld
Maven currently does not support connecting to an HTTP proxy via TLS. For this reason, the scheme of the HTTPS_PROXY value is restricted to http.

The NO_PROXY environment variable value expects a comma-separated list of destination domain names, domain suffixes, IP addresses or other network CIDRs, e.g.:

NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,localhost

By default, all egress traffic, generated by all the workloads and processes managed by the Camel K operator, will be proxied. This encompasses:

  • Communicating with the Kubernetes API server

  • Downloading Maven artifacts from repositories

  • Pulling base images from container registries

  • Pushing images to the configured container registry

For this reason, services that the operator requires access to should be reviewed, and it must be determined whether any of them must bypass the proxy.

This particularly applies to internal services, hosted within the cluster, whose internal domain names or IP addresses should be added to the NO_PROXY environment variable.

Typically, the NO_PROXY variable should be populated with the internal domain suffixes, as well as the cluster network CIDRs, e.g.:

NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,172.17.0.0/18,172.21.0.0/16,localhost
As the Camel K operator communicates with the Kubernetes API, the cluster IPs of the Kubernetes Service must at least be specified in NO_PROXY, anytime an HTTP proxy is configured.

By default, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables are also propagated to the integrations. This behavior can be deactivated, by using the http-proxy parameter of the environment trait, e.g.:

$ kamel run -t environment.http-proxy=false

Alternatively, it can be disabled globally, by editing the IntegrationPlatform resources, e.g.:

apiVersion: camel.apache.org/v1
kind: IntegrationPlatform
metadata:
  name: camel-k
spec:
  traits:
    environment:
      configuration:
        httpProxy: false (1)
1 Deactivates the propagation of HTTP proxy environment variables at the platform level

OpenShift

On OpenShift 4, cluster-wide egress proxy can be configured by editing the cluster Proxy resource:

apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://<username>:<pswd>@<ip>:<port>

Operator Lifecycle Manager (OLM), sources the status of this cluster Proxy, to automatically populate the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables, on the operator Deployment resources it manages.

These cluster-wide proxy settings can be overwritten, specifically for the Camel K operator if necessary, by editing the corresponding Subscription resource, e.g.:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: camel-k
  namespace: openshift-operators
spec:
  config:
    env:
    - name: HTTP_PROXY
      value: ""
    - name: NO_PROXY
      value: ""