Container Orchestration

Deployment Options

There are four main ways to route outbound traffic through the Qpoint proxy:

Client -> Connect Sidecar -> Proxy Service -> Internet

Client -> Connect Service -> Proxy Service -> Internet

Client -> Proxy Service -> Internet

Client -> Proxy Sidecar -> Internet

Note: Direct connections from client to Connect (either as a service or sidecar) to the internet are not supported.

Why Use Qpoint Connect?

While Qpoint Proxy can be used standalone, Qpoint Connect offers several advantages:

Enhanced Attribution: Connect can supply username/password credentials to the Proxy, allowing for better identification and tracking of traffic sources.
Simplified Client Configuration: Connect can handle the authentication and routing details, simplifying the configuration needed on the client side.

If these features are not required for your use case, you can use the Qpoint Proxy directly without Connect.

Installation Methods

Proxy and Connect as Services:
- Add the Qpoint Helm repo.
- Deploy Qpoint Proxy using Helm.
- (Optional) Deploy Qpoint Connect using Helm.
Proxy or Connect as Sidecars:
- Include the Qpoint container specification directly in your pod's YAML.

Traffic Routing

Use the Qpoint Init container to configure iptables rules for routing traffic. This can be done for both Qpoint Connect and Qpoint Proxy.

SSL Termination and Deep Packet Inspection

To perform SSL termination and deep packet inspection:

Create a ConfigMap with your custom CA certificate.
Mount the certificate in your pods.
Configure your applications to trust the custom CA.

Learn more in Kubernetes

Key Considerations

Choose between Connect and direct Proxy usage based on your attribution and security needs.
For sidecar deployments, include Qpoint container specs directly in pod definitions.
Ensure proper certificate management for SSL termination.
Configure applications to use the proxy or connect component as needed.
Use Qpoint Init for transparent traffic routing when environment variables are not suitable.

Example Pod Configuration with Proxy Sidecar

apiVersion: v1
kind: Pod
metadata:
  name: qpoint-proxy-sidecar-example
spec:
  initContainers:
    - name: qpoint-init
      # Configuration for Qpoint Init
  containers:
    - name: main-container
      # Your application container
    - name: qpoint-proxy
      image: us-docker.pkg.dev/qpoint-edge/public/qpoint:v0.1.6
      args:
        - proxy
        - --registration-token=$(QPOINT_REGISTRATION_TOKEN)
        # Other necessary arguments
      env:
        - name: QPOINT_REGISTRATION_TOKEN
          valueFrom:
            secretKeyRef:
              name: qpoint-registration-token
              key: token
      # Other necessary configurations
  volumes:
    - name: ca-pemstore
      # Custom CA certificate configuration if needed

Refer to the detailed documentation for specific configuration options and advanced usage scenarios.

Last updated 8 months ago

Deployment Options

There are four main ways to route outbound traffic through the Qpoint proxy:

Client -> Connect Sidecar -> Proxy Service -> Internet

Client -> Connect Service -> Proxy Service -> Internet

Client -> Proxy Service -> Internet

Client -> Proxy Sidecar -> Internet

Note: Direct connections from client to Connect (either as a service or sidecar) to the internet are not supported.

Why Use Qpoint Connect?

While Qpoint Proxy can be used standalone, Qpoint Connect offers several advantages:

Enhanced Attribution: Connect can supply username/password credentials to the Proxy, allowing for better identification and tracking of traffic sources.
Simplified Client Configuration: Connect can handle the authentication and routing details, simplifying the configuration needed on the client side.

If these features are not required for your use case, you can use the Qpoint Proxy directly without Connect.

Installation Methods

Proxy and Connect as Services:
- Add the Qpoint Helm repo.
- Deploy Qpoint Proxy using Helm.
- (Optional) Deploy Qpoint Connect using Helm.
Proxy or Connect as Sidecars:
- Include the Qpoint container specification directly in your pod's YAML.

Traffic Routing

Use the Qpoint Init container to configure iptables rules for routing traffic. This can be done for both Qpoint Connect and Qpoint Proxy.

SSL Termination and Deep Packet Inspection

To perform SSL termination and deep packet inspection:

Create a ConfigMap with your custom CA certificate.
Mount the certificate in your pods.
Configure your applications to trust the custom CA.

Learn more in Kubernetes

Key Considerations

Choose between Connect and direct Proxy usage based on your attribution and security needs.
For sidecar deployments, include Qpoint container specs directly in pod definitions.
Ensure proper certificate management for SSL termination.
Configure applications to use the proxy or connect component as needed.
Use Qpoint Init for transparent traffic routing when environment variables are not suitable.

Example Pod Configuration with Proxy Sidecar

apiVersion: v1
kind: Pod
metadata:
  name: qpoint-proxy-sidecar-example
spec:
  initContainers:
    - name: qpoint-init
      # Configuration for Qpoint Init
  containers:
    - name: main-container
      # Your application container
    - name: qpoint-proxy
      image: us-docker.pkg.dev/qpoint-edge/public/qpoint:v0.1.6
      args:
        - proxy
        - --registration-token=$(QPOINT_REGISTRATION_TOKEN)
        # Other necessary arguments
      env:
        - name: QPOINT_REGISTRATION_TOKEN
          valueFrom:
            secretKeyRef:
              name: qpoint-registration-token
              key: token
      # Other necessary configurations
  volumes:
    - name: ca-pemstore
      # Custom CA certificate configuration if needed

Refer to the detailed documentation for specific configuration options and advanced usage scenarios.