[self-hosted] Support https_proxy

[corneliusludmann]

Running Gitpod with an HTTPS proxy is not officially supported yet.

• Make sure that all pods are considering the https_proxy environment variable #12835
• Allow to add the environment variable #12820
  • Add config option to the Installer
  • Add KOTS configuration or better pick up configuration from the KOTS CLI option
• Add documentation
• Add automated tests with HTTPS proxy #12821
• Workspace team changes to support HTTP_PROXY #12825
• WebApp team changes to support HTTP_PROXY #12826
• IDE team changes to support HTTP_PROXY #12827

(internal discussion)

• Internal ticket

[mrsimonemms]

Having looked into this a little, from the Installer point of view this looks fairly straightforward (a skeleton PR will be up shortly). As kots install has support for --http-proxy, --https-proxy and --no-proxy (which last week's customer issue with Amulya demonstrated that these are likely all needed), I think we should support all issues.

My preference is to get the KOTS installer to add a configmap which is then used to set the envvar values and these are then added to the DefaultEnv function in the common package, which will add to every component.

It's then up to the owners of each individual component to decide on how best to implement these envvars.

[mrsimonemms]

Have put it into a blocked state as this needs some pairing from other teams. See internal discussion

[lucasvaltl]

Requires collaboration from team workspace - hence adding this to their inbox as well for prioritisation. Team workspace - we're here to help with any questions 👋

[mrzarquon]

@lucasvaltl @mrsimonemms I've noticed that in 2022.9 this behavior now sets https_proxy environment variables on the various components, but we've not yet exposed this as a feature. How does this impact people who are already setting https_proxy on some services with customizations?

My expectation is that until this epic is finished, docs are added, and shipped, that we'd not have any behavior changes. But instead I'm seeing us set proxy values automatically on all services before we've vetted actually works, or worse without any documentation that it's happening or mention in release notes:

$ kubectl exec --stdin --tty registry-facade-8hq7f -- printenv | grep proxy
Defaulted container "registry-facade" out of: registry-facade, kube-rbac-proxy, node-labeler, update-ca-certificates (init)
https_proxy=
custom_no_proxy=kotsadm,.ie.gitpod.sh,kotsadm-postgres,kotsadm-minio,kotsadm-api-node
no_proxy=ws-manager,wsdaemon,kotsadm,.ie.gitpod.sh,kotsadm-postgres,kotsadm-minio,kotsadm-api-node
http_proxy=

Because we automatically inherit whatever proxy variables the KOTS CLI scoops up if they pass the --copy-proxy-env flag, it is laying the groundwork for a pretty terrible experience where suddenly proxies get enforced on someone. And for scenarios where we're not handling them well like in dotfile deployments, that could start breaking things quickly.

At minimum the installer should include an additional boolean of "Use https proxy settings" that is off, instead of using the presence of a secret called http-proxy-settings to change behavior (which I believe is what is causing this injection - and what our inclusion of the this manifest in the kots directory creates).

[mrzarquon]

Also added this ticket to track that we're not assuming the workspaces themselves have to have these settings applied: #13682

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[johanneskoester]

Hey devs, any chance to get the remaining things resolved soon? We would love to use gitpod on premise, but we are behind a proxy.

[mrsimonemms]

@johanneskoester Gitpod self-hosted is no longer officially supported so I don't imagine this issue will get finished. See blog post. (I'm no longer part of Gitpod, so there may be discussions internally I'm not aware of).