From deeec2121c6f9bf26c8c5824a847b888813fefb3 Mon Sep 17 00:00:00 2001 From: Xun Jiang Date: Mon, 14 Nov 2022 17:16:02 +0800 Subject: [PATCH] Add Velero behind proxy document. Signed-off-by: Xun Jiang --- site/content/docs/main/proxy.md | 64 +++++++++++++++++++++++++ site/content/docs/v1.10.0-rc.1/proxy.md | 64 +++++++++++++++++++++++++ site/data/docs/main-toc.yml | 2 + site/data/docs/v1-10-0-rc-1-toc.yml | 2 + 4 files changed, 132 insertions(+) create mode 100644 site/content/docs/main/proxy.md create mode 100644 site/content/docs/v1.10.0-rc.1/proxy.md diff --git a/site/content/docs/main/proxy.md b/site/content/docs/main/proxy.md new file mode 100644 index 0000000000..047a4ac4cb --- /dev/null +++ b/site/content/docs/main/proxy.md @@ -0,0 +1,64 @@ +--- +title: "Behind Proxy" +layout: docs +toc: "true" +--- + +This document explains how to make Velero work behind proxy. +The procedures described in this document are concluded from the scenario that Velero is deployed behind proxy, and Velero needs to connect to a public MinIO server as storage location. Maybe other scenarios' configurations are not exactly the same, but basically they should share most parts. + +## Set the proxy server address +Specify the proxy server address by environment variables in Velero deployment and node-agent DaemonSet. +Take the following as an example: +``` yaml + ... + spec: + containers: + - args: + - server + - --features=EnableCSI + command: + - /velero + env: + ... + - name: HTTP_PROXY + value: + - name: HTTPS_PROXY + value: + # In case not all destinations that Velero connects to need go through proxy, users can specify the NO_PROXY to bypass proxy. + - name: NO_PROXY + value: +``` + +## Set the proxy required certificates +In some cases, the proxy requires certificate to connect. Set the certificate in the BSL's `Spec.ObjectStorage.CACert`. +It's possible that the object storage also requires certificate, and it's also set in `Spec.ObjectStorage.CACert`, then set both certificates in `Spec.ObjectStorage.CACert` field. + +The following is an example file contains two certificates, then encode its content with base64, and set the encode result in the BSL. + +``` bash +cat certs +-----BEGIN CERTIFICATE----- +certificates first content +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +certificates second content +-----END CERTIFICATE----- + +cat certs | base64 +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= +``` + +``` yaml + apiVersion: velero.io/v1 + kind: BackupStorageLocation + ... + spec: + ... + default: true + objectStorage: + bucket: velero + caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ... +``` diff --git a/site/content/docs/v1.10.0-rc.1/proxy.md b/site/content/docs/v1.10.0-rc.1/proxy.md new file mode 100644 index 0000000000..047a4ac4cb --- /dev/null +++ b/site/content/docs/v1.10.0-rc.1/proxy.md @@ -0,0 +1,64 @@ +--- +title: "Behind Proxy" +layout: docs +toc: "true" +--- + +This document explains how to make Velero work behind proxy. +The procedures described in this document are concluded from the scenario that Velero is deployed behind proxy, and Velero needs to connect to a public MinIO server as storage location. Maybe other scenarios' configurations are not exactly the same, but basically they should share most parts. + +## Set the proxy server address +Specify the proxy server address by environment variables in Velero deployment and node-agent DaemonSet. +Take the following as an example: +``` yaml + ... + spec: + containers: + - args: + - server + - --features=EnableCSI + command: + - /velero + env: + ... + - name: HTTP_PROXY + value: + - name: HTTPS_PROXY + value: + # In case not all destinations that Velero connects to need go through proxy, users can specify the NO_PROXY to bypass proxy. + - name: NO_PROXY + value: +``` + +## Set the proxy required certificates +In some cases, the proxy requires certificate to connect. Set the certificate in the BSL's `Spec.ObjectStorage.CACert`. +It's possible that the object storage also requires certificate, and it's also set in `Spec.ObjectStorage.CACert`, then set both certificates in `Spec.ObjectStorage.CACert` field. + +The following is an example file contains two certificates, then encode its content with base64, and set the encode result in the BSL. + +``` bash +cat certs +-----BEGIN CERTIFICATE----- +certificates first content +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +certificates second content +-----END CERTIFICATE----- + +cat certs | base64 +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= +``` + +``` yaml + apiVersion: velero.io/v1 + kind: BackupStorageLocation + ... + spec: + ... + default: true + objectStorage: + bucket: velero + caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + ... +``` diff --git a/site/data/docs/main-toc.yml b/site/data/docs/main-toc.yml index f8be3b9782..6d81fb3e90 100644 --- a/site/data/docs/main-toc.yml +++ b/site/data/docs/main-toc.yml @@ -51,6 +51,8 @@ toc: url: /self-signed-certificates - page: Changing RBAC permissions url: /rbac + - page: Behind proxy + url: /proxy - title: Plugins subfolderitems: - page: Overview diff --git a/site/data/docs/v1-10-0-rc-1-toc.yml b/site/data/docs/v1-10-0-rc-1-toc.yml index f8be3b9782..6d81fb3e90 100644 --- a/site/data/docs/v1-10-0-rc-1-toc.yml +++ b/site/data/docs/v1-10-0-rc-1-toc.yml @@ -51,6 +51,8 @@ toc: url: /self-signed-certificates - page: Changing RBAC permissions url: /rbac + - page: Behind proxy + url: /proxy - title: Plugins subfolderitems: - page: Overview