Configuring the AtScale Proxy Service
The AtScale proxy service is a wrapper of the Nginx Helm Chart, with pre-configured routing to all AtScale services.
If you want to configure the proxy service, do the following before installing AtScale.
Configure certificates
You can provide TLS certificates for the proxy service in three different ways:
- Auto-generate them.
- Provide them in the values override file.
- Provide them via secret.
Auto-generate certificates (default)
The default method of providing TLS certificates for the proxy service is to auto-generate them. To do this, leave the section global.atscale.tls in the values override file empty. When using this method, a self-signed certificate for the global.ingressDomain is automatically generated by AtScale and saved to the default-certificate secret.
Example override file:
global:
ingressDomain: "<ingress_domain>"
Provide certificates in the values override file
To provide your TLS certificates in the values override file, fill out the global.atscale.tlsCrt, global.atscale.tlsKey, and (optionally) global.atscale.caCerts parameters. All values must be Base64 encoded. AtScale saves these to the default-certificate secret.
Example override file:
global:
ingressDomain: "<ingress_domain>"
atscale:
tls:
tlsCrt: <tls_certificate>
tlsKey: <tls_key>
caCerts: <ca_certificates>
Provide certificates via secret
You can provide your TLS certificates via secret, with tls.key, tls.crt, and ca.crt keys. The secret name should be specified in both the global.atscale.tls.existingSecret and atscale-proxy.tls.existingSecret sections of the values override file.
Example secret manifest:
type: kubernetes.io/tls
apiVersion: v1
kind: Secret
metadata:
namespace: <atscale_namespace>
data:
tls.crt: <tls_certificate>
tls.key: <tls_key>
ca.crt: <ca_certificates>
Example values override file:
global:
ingressDomain: "<ingress_domain>"
atscale:
tls:
existingSecret: "<secret>"
atscale-proxy:
tls:
existingSecret: "<secret>"
Where <secret> is the secret created above.
Configure routing
There are two different methods of reaching the AtScale services from the outside: Service and ingress.
Service (default)
The default routing method is via service. With this method, all configuration related to the proxy service is defined in the atscale-proxy.service section of the values override file. In this configuration, the AtScale proxy service handles TLS termination, using the certificate defined in global.atscale.tls (or the generated self-signed certificate). HTTP 2.0 is set as the default.
Example values override for a load balancer with three replicas
atscale-proxy:
replicaCount: 3
service:
type: LoadBalancer
Example values override for an AWS load balancer
atscale-proxy:
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
Example values override for an Azure load balancer
atscale-proxy:
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-ipv4: <load_balancer_ip_address>
Example values override for a Google Cloud load balancer
atscale-proxy:
service:
type: LoadBalancer
annotations:
networking.gke.io/load-balancer-type: "Internal"
networking.gke.io/load-balancer-ip-addresses: "<load_balancer_ip_address>"
kubernetes.io/ingress.global-static-ip-name: <ingress_ip_address>
Ingress
With the ingress method, all configuration related to the proxy service is defined in the atscale-proxy.ingress section of the values override file. To enable this, set atscale-proxy.ingress.enabled to true. In this configuration, the AtScale proxy service does not handle TLS termination, HTTP 1.1 is set as the default, and the certificate global.atscale.tls (or the generated self-signed certificate) is attached to the ingress.
Example values override file using an ingress, with nginx as the default ingress class
atscale-proxy:
ingress:
enabled: true
ingressClassName: "nginx"
The communication between the AtScale engine and external applications, such as Tableau, uses the Postgres Wire protocol, via TCP port 15432.
This port is also exposed via the atscale-proxy service; however, when using the ingress, only HTTPS connections are allowed. Therefore, it is necessary to use Firewall rules (or other available proxy) to allow access via port 15432.
For information on exposing TCP ports using the Nginx Ingress Controller, see Exposing TCP and UDP services - Ingress-Nginx Controller. For information on using Traefik, see Traefik Routers Documentation - Traefik.
Extend SSL
If you require your AtScale instance to be public, it is recommended that you extend the base configuration of the proxy service to include additional ciphers. To do this:
-
In your values override file, add your cipher suite to the
overrideCiphersproperty. For example:atscale-proxy:
overrideCiphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256" -
Generate a full chain certificate. This is typically the server certificate and intermediate certificate(s) combined.
To do this, you can use the CA Bundle provided by your certificate authority:
cat example.domain.com.crt ca-bundle.pem > fullchain.pem -
Configure AtScale to apply your certificate on startup:
global:
atscale:
tls:
tlsCrt: <Base64 encoded fullchain.pem>
tlsKey: <Base64 encoded private.key>
caCerts: <Base64 encoded CaCert>NoteThe value of
tlsCertmust be a full chain certificate.