vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add Velero behind proxy document. 

Signed-off-by: Xun Jiang <blackpiglet@gmail.com>
pull/5590/head
Xun Jiang 2022-11-14 17:16:02 +08:00
parent 180366bc01
commit a80cfcdb8c
4 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
site/content/docs/main/proxy.md Normal file
View File

@ -0,0 +1,64 @@
---
title: "Behind Proxy"
layout: docs
toc: "true"
---
This document explains how to make Velero work behind proxy.
The procedures described in this document are concluded from the scenario that Velero is deployed behind proxy, and Velero needs to connect to a public MinIO server as storage location. Maybe other scenarios' configurations are not exactly the same, but basically they should share most parts.
## Set the proxy server address
Specify the proxy server address by environment variables in Velero deployment and node-agent DaemonSet.
Take the following as an example:
``` yaml
...
spec:
containers:
- args:
- server
- --features=EnableCSI
command:
- /velero
env:
...
- name: HTTP_PROXY
value: <proxy_address>
- name: HTTPS_PROXY
value: <proxy_address>
# In case not all destinations that Velero connects to need go through proxy, users can specify the NO_PROXY to bypass proxy.
- name: NO_PROXY
value: <address_list_not_use_proxy>
```
## Set the proxy required certificates
In some cases, the proxy requires certificate to connect. Set the certificate in the BSL's `Spec.ObjectStorage.CACert`.
It's possible that the object storage also requires certificate, and it's also set in `Spec.ObjectStorage.CACert`, then set both certificates in `Spec.ObjectStorage.CACert` field.
The following is an example file contains two certificates, then encode its content with base64, and set the encode result in the BSL.
``` bash
cat certs
-----BEGIN CERTIFICATE-----
certificates first content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
certificates second content
-----END CERTIFICATE-----
cat certs | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
```
``` yaml
apiVersion: velero.io/v1
kind: BackupStorageLocation
...
spec:
...
default: true
objectStorage:
bucket: velero
caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
...
```

64
site/content/docs/v1.10.0-rc.1/proxy.md Normal file
View File

@ -0,0 +1,64 @@
---
title: "Behind Proxy"
layout: docs
toc: "true"
---
This document explains how to make Velero work behind proxy.
The procedures described in this document are concluded from the scenario that Velero is deployed behind proxy, and Velero needs to connect to a public MinIO server as storage location. Maybe other scenarios' configurations are not exactly the same, but basically they should share most parts.
## Set the proxy server address
Specify the proxy server address by environment variables in Velero deployment and node-agent DaemonSet.
Take the following as an example:
``` yaml
...
spec:
containers:
- args:
- server
- --features=EnableCSI
command:
- /velero
env:
...
- name: HTTP_PROXY
value: <proxy_address>
- name: HTTPS_PROXY
value: <proxy_address>
# In case not all destinations that Velero connects to need go through proxy, users can specify the NO_PROXY to bypass proxy.
- name: NO_PROXY
value: <address_list_not_use_proxy>
```
## Set the proxy required certificates
In some cases, the proxy requires certificate to connect. Set the certificate in the BSL's `Spec.ObjectStorage.CACert`.
It's possible that the object storage also requires certificate, and it's also set in `Spec.ObjectStorage.CACert`, then set both certificates in `Spec.ObjectStorage.CACert` field.
The following is an example file contains two certificates, then encode its content with base64, and set the encode result in the BSL.
``` bash
cat certs
-----BEGIN CERTIFICATE-----
certificates first content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
certificates second content
-----END CERTIFICATE-----
cat certs | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
```
``` yaml
apiVersion: velero.io/v1
kind: BackupStorageLocation
...
spec:
...
default: true
objectStorage:
bucket: velero
caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
...
```

2
site/data/docs/main-toc.yml
View File

@ -51,6 +51,8 @@ toc:
url: /self-signed-certificates
- page: Changing RBAC permissions
url: /rbac
- page: Behind proxy
url: /proxy
- title: Plugins
subfolderitems:
- page: Overview

2
site/data/docs/v1-10-0-rc-1-toc.yml
View File

@ -51,6 +51,8 @@ toc:
url: /self-signed-certificates
- page: Changing RBAC permissions
url: /rbac
- page: Behind proxy
url: /proxy
- title: Plugins
subfolderitems:
- page: Overview