Skip to main content

Configuring the AtScale Proxy Service

The AtScale proxy service is a wrapper of the Nginx Helm Chart, with pre-configured routing to all AtScale services.

If you want to configure the proxy service, do the following before installing AtScale.

Configure certificates

You can provide TLS certificates for the proxy service in three different ways:

  1. (Default) Auto-generate them. Leave the section global.atscale.tls in the values override file empty. When using this method, a self-signed certificate for the global.ingressDomain is automatically generated by AtScale and saved to the default-certificate secret.

    Example override file:

    global:
        ingressDomain: "<ingress_domain>"

  2. Provide them in the values override file. Fill out the global.atscale.tlsCrt, global.atscale.tlsKey, and (optionally) global.atscale.caCerts parameters. All values must be Base64 encoded. AtScale saves these to the default-certificate secret.

    Example override file:

    global:
        ingressDomain: "<ingress_domain>"
        atscale:
            tls:
                tlsCrt: <tls_certificate>
                tlsKey: <tls_key>
                caCerts: <ca_certificates>

  3. Provide them via secret, with tls.key, tls.crt, and ca.crt keys. The secret name should be specified in both the global.atscale.tls.existingSecret and atscale-proxy.tls.existingSecret sections of the values override file.

    Example secret manifest:

    type: kubernetes.io/tls
    apiVersion: v1
    kind: Secret
    metadata:
        namespace: <atscale_namespace>
    data:
        tls.crt: <tls_certificate>
        tls.key: <tls_key>
        ca.crt: <ca_certificates>

    Example values override file:

    global:
        ingressDomain: "<ingress_domain>"
        
        atscale:
            tls:
                existingSecret: "<secret>"

    atscale-proxy:
        tls:
            existingSecret: "<secret>"

    Where <secret> is the secret created above.

Configure routing

There are two different methods of reaching the AtScale services from the outside:

  1. (Default) Service. All configuration related to the proxy service is defined in the atscale-proxy.service section of the values override file. In this configuration, the AtScale proxy service handles TLS termination, using the certificate defined in global.atscale.tls (or the generated self-signed certificate). HTTP 2.0 is set as the default.

    Example values override for a load balancer with three replicas:

    atscale-proxy:
        replicaCount: 3

        service:
            type: LoadBalancer

    Example values override for an AWS load balancer:

    atscale-proxy:
        service:
            type: LoadBalancer
            annotations:
                service.beta.kubernetes.io/aws-load-balancer-scheme: internal
                service.beta.kubernetes.io/aws-load-balancer-internal: "true"
                service.beta.kubernetes.io/aws-load-balancer-type: nlb
                service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance

    Example values override for an Azure load balancer:

    atscale-proxy:
        service:
            type: LoadBalancer
            annotations:
                service.beta.kubernetes.io/azure-load-balancer-internal: "true"
                service.beta.kubernetes.io/azure-load-balancer-ipv4: <load_balancer_ip_address>

    Example values override for a Google Cloud load balancer:

    atscale-proxy:
        service:
            type: LoadBalancer
            annotations:
                networking.gke.io/load-balancer-type: "Internal"
                networking.gke.io/load-balancer-ip-addresses: "<load_balancer_ip_address>"
                kubernetes.io/ingress.global-static-ip-name: <ingress_ip_address>

  2. Ingress. All configuration related to the proxy service is defined in the atscale-proxy.ingress section of the values override file. In order to enable this, set atscale-proxy.ingress.enabled to true. In this configuration, the AtScale proxy service does not handle TLS termination, HTTP 1.1 is set as the default, and the certificate global.atscale.tls (or the generated self-signed certificate) is attached to the ingress.

    Example values override using an ingress, with nginx as the default ingress class:

    atscale-proxy:
        ingress:
            enabled: true
            ingressClassName: "nginx"
    Note on TCP Connections when Using Ingress

    The communication between the AtScale engine and external applications, such as Tableau, uses the Postgres Wire protocol, via TCP port 15432.

    This port is also exposed via the atscale-proxy service; however, when using the ingress, only HTTPS connections are allowed. Therefore, it is necessary to use Firewall rules (or other availble proxy) to allow access via port 15432.

    For information on exposing TCP ports using the Nginx Ingress Controller, see Exposing TCP and UDP services - Ingress-Nginx Controller. For information on using Traefik, see Traefik Routers Documentation - Traefik.