docs/modules/ROOT/pages/installation/advanced/http-proxy.adoc

[[http-proxy]]
= HTTP Proxy

Production or corporate environments can deny direct access to the Internet, and mandates egress traffic to go through an HTTP or HTTPS proxy.

The Camel K operator can be configured to route egress traffic to this proxy, by setting the usual `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` on the operator Deployment.

This can be achieved with the Kamel CLI, at installation time, e.g.:

[source,console]
----
$ kamel install --operator-env-vars=HTTP_PROXY=http://proxy
----

Alternatively, the operator Deployment can be amended with the `kubectl` CLI, e.g.:

[source,console]
----
$ kubectl set env deployment camel-k-operator HTTP_PROXY=http://proxy
----

The `HTTP_PROXY` and `HTTPS_PROXY` environment variable values expect URLs following the `http://[<username>[:<pswd>]@]<host>[:<port>]` format, e.g.:

[source]
----
HTTP_PROXY=http://proxy.corp.tld
----

NOTE: Maven currently does not support connecting to an HTTP proxy via TLS. For this reason, the scheme of the `HTTPS_PROXY` value is restricted to `http`.

The `NO_PROXY` environment variable value expects a comma-separated list of destination domain names, domain suffixes, IP addresses or other network CIDRs, e.g.:

[source]
----
NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,localhost
----

By default, all egress traffic, generated by all the workloads and processes managed by the Camel K operator, will be proxied.
This encompasses:

* Communicating with the Kubernetes API server
* Downloading Maven artifacts from repositories
* Pulling base images from container registries
* Pushing images to the configured container registry

For this reason, services that the operator requires access to should be reviewed, and it must be determined whether any of them must bypass the proxy.

This particularly applies to internal services, hosted within the cluster, whose internal domain names or IP addresses should be added to the `NO_PROXY` environment variable.

Typically, the `NO_PROXY` variable should be populated with the internal domain suffixes, as well as the cluster network CIDRs, e.g.:

[source]
----
NO_PROXY=.cluster.local,.svc,10.0.0.0/16,127.0.0.1,172.17.0.0/18,172.21.0.0/16,localhost
----

NOTE: As the Camel K operator communicates with the Kubernetes API, the cluster IPs of the Kubernetes Service must at least be specified in `NO_PROXY`, anytime an HTTP proxy is configured.

By default, the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables are also propagated to the integrations.
This behavior can be deactivated, by using the `http-proxy` parameter of the _environment_ trait, e.g.:

[source,console]
----
$ kamel run -t environment.http-proxy=false
----

Alternatively, it can be disabled globally, by editing the IntegrationPlatform resources, e.g.:

[source, yaml]
----
apiVersion: camel.apache.org/v1
kind: IntegrationPlatform
metadata:
  name: camel-k
spec:
  traits:
    environment:
      configuration:
        httpProxy: false # <1>
----
<1> Deactivates the propagation of HTTP proxy environment variables at the platform level

[[openshift]]
== OpenShift

On OpenShift 4, cluster-wide egress proxy can be configured by editing the `cluster` Proxy resource:

[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://<username>:<pswd>@<ip>:<port>
----

Operator Lifecycle Manager (OLM), sources the status of this `cluster` Proxy, to automatically populate the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables, on the operator Deployment resources it manages.

These cluster-wide proxy settings can be overwritten, specifically for the Camel K operator if necessary, by editing the corresponding Subscription resource, e.g.:

[source,yaml]
----
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: camel-k
  namespace: openshift-operators
spec:
  config:
    env:
    - name: HTTP_PROXY
      value: ""
    - name: NO_PROXY
      value: ""
----