From db77db2731f69db3301355b0e3b7a0a1c387bf1f Mon Sep 17 00:00:00 2001 From: Gyorgy Ruck Date: Tue, 5 May 2026 18:15:31 +0200 Subject: [PATCH] feat: Adding HTTP proxy support for reliability --- charts/kvisor/Chart.yaml | 2 +- charts/kvisor/templates/_helpers.tpl | 23 +++++++++++++++++++++++ charts/kvisor/templates/agent.yaml | 1 + charts/kvisor/templates/controller.yaml | 1 + charts/kvisor/values.yaml | 16 ++++++++++++++++ docs/reliability-stack-installation.md | 23 +++++++++++++++++++++++ 6 files changed, 65 insertions(+), 1 deletion(-) diff --git a/charts/kvisor/Chart.yaml b/charts/kvisor/Chart.yaml index 8d33c042..186f3431 100644 --- a/charts/kvisor/Chart.yaml +++ b/charts/kvisor/Chart.yaml @@ -7,7 +7,7 @@ appVersion: "v1.55.25" dependencies: - name: reliability-metrics-ch-exporter - version: "0.3.17" + version: "0.3.19" repository: "https://castai.github.io/helm-charts" condition: reliabilityMetrics.enabled alias: reliabilityMetrics diff --git a/charts/kvisor/templates/_helpers.tpl b/charts/kvisor/templates/_helpers.tpl index 650306ae..79b47a8a 100644 --- a/charts/kvisor/templates/_helpers.tpl +++ b/charts/kvisor/templates/_helpers.tpl @@ -592,3 +592,26 @@ Formula (dynamicSizing): memory = 40 + (N × 27) + 30 MiB, clamped to [120, 1024 - name: obi-shared mountPath: /shared {{- end -}} + +{{/* +Emit HTTPS_PROXY / HTTP_PROXY / NO_PROXY env vars when the corresponding +global.proxy.* value is non-empty. Each var is independently conditional — +no envelope `enabled` flag. + +Include in containers that make external connections (agent, controller, +ch-exporter). Do NOT include in OBI or OTel collector sidecars. +*/}} +{{- define "kvisor.proxyEnvVars" -}} +{{- with ((.Values.global).proxy).httpsProxy }} +- name: HTTPS_PROXY + value: {{ . | quote }} +{{- end }} +{{- with ((.Values.global).proxy).httpProxy }} +- name: HTTP_PROXY + value: {{ . | quote }} +{{- end }} +{{- with ((.Values.global).proxy).noProxy }} +- name: NO_PROXY + value: {{ . | quote }} +{{- end }} +{{- end }} diff --git a/charts/kvisor/templates/agent.yaml b/charts/kvisor/templates/agent.yaml index e33d7fba..f239df72 100644 --- a/charts/kvisor/templates/agent.yaml +++ b/charts/kvisor/templates/agent.yaml @@ -170,6 +170,7 @@ spec: - name: {{ $k }} value: "{{ $v }}" {{- end }} + {{- include "kvisor.proxyEnvVars" . | nindent 12 }} ports: - containerPort: {{.Values.agent.metricsHTTPListenPort}} name: metrics diff --git a/charts/kvisor/templates/controller.yaml b/charts/kvisor/templates/controller.yaml index ace5427e..a4b8b9f0 100644 --- a/charts/kvisor/templates/controller.yaml +++ b/charts/kvisor/templates/controller.yaml @@ -125,6 +125,7 @@ spec: - name: {{ $key }} value: {{ $value }} {{- end }} + {{- include "kvisor.proxyEnvVars" . | nindent 12 }} envFrom: {{- with .Values.controller.envFrom }} {{- toYaml . | nindent 12 }} diff --git a/charts/kvisor/values.yaml b/charts/kvisor/values.yaml index 66d10be0..c60564dc 100644 --- a/charts/kvisor/values.yaml +++ b/charts/kvisor/values.yaml @@ -39,6 +39,22 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +# Proxy configuration — set any of these to inject the corresponding env var +# into the kvisor agent, controller, and ch-exporter containers. Each var is +# emitted independently when non-empty; presence implies activation. +# +# OTel collector sidecars and OBI are intentionally excluded: collectors talk +# to ClickHouse via native TCP (unaffected by HTTP proxies), and OBI only +# communicates on localhost. +# +# This block propagates automatically to the reliabilityMetrics subchart via +# Helm's global values mechanism. +global: + proxy: + httpProxy: "" + httpsProxy: "" + noProxy: "" + # Labels to add to all resources. # TODO: Add for all resources commonLabels: {} diff --git a/docs/reliability-stack-installation.md b/docs/reliability-stack-installation.md index de7f85ac..d15d2ff8 100644 --- a/docs/reliability-stack-installation.md +++ b/docs/reliability-stack-installation.md @@ -476,6 +476,29 @@ reliabilityMetrics: key: "password" ``` +### Proxy Configuration (HTTPS_PROXY / HTTP_PROXY / NO_PROXY) + +Some clusters route outbound traffic through a corporate HTTP CONNECT proxy. +Set proxy values once under `global.proxy` — they automatically propagate to +the kvisor agent, controller, and the ch-exporter (subchart). Each variable +is independently optional: only the ones you set are emitted. + +```yaml +global: + proxy: + httpsProxy: "http://appproxy.corp.example:3128" + httpProxy: "http://appproxy.corp.example:3128" + noProxy: ".cluster.local,.svc,10.0.0.0/16,127.0.0.1,localhost" +``` + +**What gets the proxy vars:** kvisor agent, kvisor controller, ch-exporter — +the components that initiate gRPC/REST calls to the CAST AI mothership. + +**What doesn't (intentionally):** OBI (only talks to `localhost`) and the +OTel collector sidecars (write to ClickHouse over native TCP, which is not +affected by HTTP proxies). Make sure `noProxy` includes `.svc` so in-cluster +service traffic bypasses the proxy. + ## Verification ### 1. Check Pod Status