Skip to main content
Version: latest

Spectro Proxy

Spectro Proxy is a pack that enables the use of a reverse proxy with a Kubernetes cluster. The reverse proxy allows you to connect to the cluster API of a Palette-managed Kubernetes cluster in private networks or clusters configured with private API endpoints. The reverse proxy managed by Spectro Cloud is also known as the forward reverse proxy (FRP).

The reverse proxy has a server component and a client component. The reverse proxy server is publicly available and managed by Spectro Cloud. The client is deployed inside your Palette-managed Kubernetes cluster and connects to the reverse proxy server. When you add the Spectro Proxy pack to a cluster profile, a couple of things happen:

  • Palette injects the reverse proxy server's SSL certificate into the cluster. This allows the cluster to trust the reverse proxy server.

  • The kubeconfig file is updated with the reverse proxy address instead of pointing directly to the cluster's API address. The following is an example of a kubeconfig file where the server attribute points to the reverse proxy.

    apiVersion: v1
    clusters:
    - cluster:
    certificate-authority-data: LS......
    server: https://cluster-61a578b5259452b88941a1.proxy.spectrocloud.com:443
    name: example-server
    contexts:
    # The remainder configuration is omitted for brevity.
  • Any requests to the Kubernetes API server, such as kubectl commands, will be routed to the reverse proxy. The reverse proxy forwards the request to the intended client, which is the cluster's API server. The cluster's API server authenticates the request and replies with the proper response.

You can attach this pack to a cluster profile. For more information, refer to Cluster Profiles. The pack installs the Spectro Proxy client in the workload clusters and configures the cluster's API server to point to a managed proxy server.

info

This pack can be combined with the Kubernetes dashboard pack to expose the Kubernetes dashboard. To learn more about exposing the Kubernetes dashboard, check out the Enable Kubernetes Dashboard guide.

Network Connectivity

The host cluster's network configuration defines who can access the host cluster from a network perspective. If a user is in the same network as the cluster, the user may be able to access the host cluster without needing a forward proxy. However, if the user is on a different network, the host cluster's network configuration may limit the user's ability to connect to the host cluster and may require the use of a forward proxy.

warning

The Spectro Proxy pack does not support Edge deployments in airgapped environments where the Edge host does not have outbound access to the internet.

From a network configuration perspective, a cluster can be in a private or a public network. Host clusters deployed in a network that does not allow inbound internet access are considered private. Whereas the clusters deployed in a network with both inbound and outbound access to the internet are considered public. The following are the three possible network connectivity scenarios:

  • The cluster and the user are in the same private network.

  • The cluster and the user are in different private networks.

  • The cluster is in a public network.

An overview of the three different connectivity scenarios

The following table summarizes the network connectivity requirements for each scenario and whether the Spectro Proxy is required.

ScenarioDescriptionRequires Spectro Proxy?
Private cluster in the same networkThe cluster is deployed with a private endpoint, and the user is also in the same network.
Private cluster in a different networkThe cluster is deployed with a private endpoint, and the user is in a different network.
Public cluster in a different networkThe cluster is deployed with a public endpoint, and the user is in a different network.

To learn more about how the Spectro Proxy interacts with clusters in a public or private network environment and when the Spectro Proxy is required, select the tab that matches your use case.

Networks labeled as private do not allow inbound internet access. Inbound network requests to the network are allowed only if the connection originated from the internal network. If you are in a different network than the cluster, you can connect to the cluster's API server through the Spectro Proxy. The Spectro Proxy allows you to connect to the cluster's API server although you are not in the same network as the cluster.

warning

Users that are in a different network than the cluster require the Spectro Proxy server to connect to the cluster's API server. Otherwise, requests to the cluster's API server will fail due to a lack of network connectivity.

The Spectro Proxy client is installed by the Spectro Proxy pack. The client is deployed in the cluster and connects to the Spectro Proxy server. The Spectro Proxy server is a managed service that is publicly available and managed by Spectro Cloud. The Spectro Proxy server forwards the request to the cluster's API server. The cluster's API server authenticates the request and replies with the proper response.

The kubeconfig files generated for the host cluster are updated with the Spectro Proxy server's address. When you or other users issue a kubectl command, the request is routed to the Spectro Proxy server. The following is an example of a kubeconfig file where the SSL certificate and server address attribute point to the Spectro Proxy.

The following diagram displays the network connection flow of a user attempting to connect to a cluster with private endpoints. The user is in a different network than the cluster.

  1. The user issues a kubectl command to the cluster's API server.

  2. The request is routed to the Spectro Proxy server. The Spectro Proxy client inside the host cluster has an established connection with the cluster's API server.

  3. The Spectro Proxy server forwards the request to the cluster's API server located in a different network. The cluster's API server authenticates the request and replies with the proper response.

Private cluster in a different network.

Depending on what type of infrastructure provider you are deploying the host cluster in, you may have to specify the Spectro Proxy server's SSL certificate in the Kubernetes cluster's configuration. Refer to the Usage section below for more information.


Versions Supported

Prerequisites

  • Outbound internet connectivity for port 443 is allowed so that you and your applications can connect with the Spectro Cloud reverse proxy.

Parameters

The Spectro Proxy supports the following parameters.

ParameterDescriptionDefault
namespaceThe Kubernetes namespace to install the Spectro Proxy.cluster-{{ .spectro.system.cluster.uid }}
serverThe Kubernetes server.{{ .spectro.system.reverseproxy.server }}
clusterUidThe Kubernetes cluster identifier.{{ .spectro.system.cluster.uid }}
subdomainThe Kubernetes cluster subdomain identifier.cluster-{{ .spectro.system.cluster.uid }}

The Kubernetes dashboard integration supports the following parameters.

ParameterDescriptionDefault
enabledEnable the dashboard.false
useInsecurePortUse unsecure port (HTTP) for communication.false

The VMware dashboard integration supports the following parameters.

ParameterDescriptionDefault
enabledEnable the dashboard.false

Usage

To use this pack, you have to add it to your cluster profile. You can also add the Spectro Proxy pack when you create the cluster profile. Check out the Create Cluster Profile guide to learn more about cluster profile creation.

The kubeconfig file generated for the host cluster is updated with the Spectro Proxy server's address. Refer to the Access Cluster with CLI guide to learn how to download the kubeconfig file and access the cluster.

warning

Be aware that if this pack is added as a Day-2 operation, meaning not during the cluster creation process, you will have to re-download the kubeconfig file to pick up the new configuration changes. This will also result in Kubernetes control plane nodes getting repaved.

Troubleshooting

Troubleshooting scenarios related to the Spectro Proxy.

x509 Unknown Authority Error

If you encounter an x509 unknown authority error when deploying a cluster with the Spectro Proxy.

Unable to connect to connect the server: X509: certiticate signed by unknown authorit signed by

The workaround for this error is to wait a few moments for all the kubeconfig configurations to get propagated to Palette. The Palette cluster agent sends the original kubeconfig to Palette, followed by the modified kubeconfig containing the reverse proxy settings. If you attempt to open up a web shell session or interact with cluster API during the initialization process, you will receive an x509 error. Once Palette receives the kubeconfig file containing the cluster's reverse proxy configurations from the cluster agent, the x509 errors will disappear.

Terraform

You can reference the Spectro Proxy pack in Terraform with a data resource.

data "spectrocloud_registry" "public_registry" {
name = "Public Repo"
}

data "spectrocloud_pack_simple" "spectro-proxy" {
name = "spectro-proxy"
version = "1.4.1"
type = "operator-instance"
registry_uid = data.spectrocloud_registry.public_registry.id
}

References