allow configuring https_proxy and no_proxy (#335)

* allow configuring https_proxy and no_proxy

* do not proxy requests made with the k8s clientset

* helm requests should not use the proxy either

* improve noproxy comments

Author: laverya

chart/templates/_helpers.tpl

@@ -363,4 +363,28 @@ Get daemonset names from status informers
 {{- range $daemonsets }}
 - {{ . }}
 {{- end -}}
+{{- end -}}
+
+{{/*
+Get HTTPS proxy value
+Checks local proxy.httpsProxy first, then falls back to global.replicated.httpsProxy
+*/}}
+{{- define "replicated.httpsProxy" -}}
+{{- if .Values.proxy.httpsProxy -}}
+  {{- .Values.proxy.httpsProxy -}}
+{{- else if and .Values.global .Values.global.replicated .Values.global.replicated.httpsProxy -}}
+  {{- .Values.global.replicated.httpsProxy -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Get NO_PROXY value
+Checks local proxy.noProxy first, then falls back to global.replicated.noProxy
+*/}}
+{{- define "replicated.noProxy" -}}
+{{- if .Values.proxy.noProxy -}}
+  {{- .Values.proxy.noProxy -}}
+{{- else if and .Values.global .Values.global.replicated .Values.global.replicated.noProxy -}}
+  {{- .Values.global.replicated.noProxy -}}
+{{- end -}}
 {{- end -}}

chart/templates/replicated-deployment.yaml

@@ -123,6 +123,16 @@ spec:
         {{- with .Values.extraEnv }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+        {{- $httpsProxy := include "replicated.httpsProxy" . }}
+        {{- if $httpsProxy }}
+        - name: HTTPS_PROXY
+          value: {{ $httpsProxy | quote }}
+        {{- end }}
+        {{- $noProxy := include "replicated.noProxy" . }}
+        {{- if $noProxy }}
+        - name: NO_PROXY
+          value: {{ $noProxy | quote }}
+        {{- end }}
         {{- if or .Values.privateCAConfigmap .Values.privateCASecret }}
         - name: SSL_CERT_DIR
           value: /certs

chart/values.yaml

@@ -305,3 +305,13 @@ minimalRBAC: false
 # When true, the SDK will report every image+digest in the cluster regardless of the releaseImages filter
 # When false (default), only images matching the releaseImages list will be reported
 reportAllImages: false
+
+# Proxy configuration for outbound connections
+# Configure HTTPS proxy settings for the Replicated SDK
+# These values can also be set via global.replicated.httpsProxy and global.replicated.noProxy
+# when used as a subchart. Local values take precedence over global values.
+# Configuring noProxy should not be required in normal usage, as the SDK will 
+# automatically bypass the proxy when making requests to cluster APIs.
+proxy:
+  httpsProxy: ""   # HTTPS proxy URL (e.g., "https://proxy.example.com:8080")
+  noProxy: ""      # Comma-separated list of hosts to bypass proxy (e.g., "localhost,127.0.0.1")

pkg/helm/config.go

@@ -15,7 +15,7 @@ func init() {
 	}
 
 	cfg = new(action.Configuration)
-	if err := cfg.Init(k8sutil.KubernetesConfigFlags, GetReleaseNamespace(), GetHelmDriver(), logger.Debugf); err != nil {
+	if err := cfg.Init(k8sutil.ProxyBypassRESTClientGetter(k8sutil.KubernetesConfigFlags), GetReleaseNamespace(), GetHelmDriver(), logger.Debugf); err != nil {
 		panic(errors.Wrap(err, "failed to init helm action config"))
 	}
 }

pkg/k8sutil/clientset.go

@@ -1,6 +1,8 @@
 package k8sutil
 
 import (
+	"net/http"
+	"net/url"
 	"regexp"
 	"strconv"
 
@@ -60,6 +62,9 @@ func GetClusterConfig() (*rest.Config, error) {
 	cfg.QPS = DEFAULT_K8S_CLIENT_QPS
 	cfg.Burst = DEFAULT_K8S_CLIENT_BURST
 
+	// Never proxy Kubernetes API requests, regardless of environment
+	cfg.Proxy = func(*http.Request) (*url.URL, error) { return nil, nil }
+
 	return cfg, nil
 }
 

pkg/k8sutil/rest_getter.go

@@ -0,0 +1,50 @@
+package k8sutil
+
+import (
+	"net/http"
+	"net/url"
+
+	meta "k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// proxyBypassFlags wraps ConfigFlags to force-disable HTTP proxy usage
+// for Kubernetes API requests by setting rest.Config.Proxy to nil.
+type proxyBypassFlags struct {
+	base *genericclioptions.ConfigFlags
+}
+
+func ProxyBypassRESTClientGetter(base *genericclioptions.ConfigFlags) genericclioptions.RESTClientGetter {
+	return &proxyBypassFlags{base: base}
+}
+
+func (p *proxyBypassFlags) ToRESTConfig() (*rest.Config, error) {
+	cfg, err := p.base.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+	// Ensure QPS/Burst defaults and disable proxy
+	if cfg.QPS == 0 {
+		cfg.QPS = DEFAULT_K8S_CLIENT_QPS
+	}
+	if cfg.Burst == 0 {
+		cfg.Burst = DEFAULT_K8S_CLIENT_BURST
+	}
+	cfg.Proxy = func(*http.Request) (*url.URL, error) { return nil, nil }
+	return cfg, nil
+}
+
+func (p *proxyBypassFlags) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return p.base.ToDiscoveryClient()
+}
+
+func (p *proxyBypassFlags) ToRESTMapper() (meta.RESTMapper, error) {
+	return p.base.ToRESTMapper()
+}
+
+func (p *proxyBypassFlags) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return p.base.ToRawKubeConfigLoader()
+}