Proxy Service with Kubernetes

Deploying Qpoint Proxy as a Service in Kubernetes

This guide explains how to deploy the Qpoint Proxy as a service in your Kubernetes cluster and configure pods to route traffic through it using qpoint-init. This approach allows you to route traffic through the Qpoint Proxy for multiple pods or applications without needing to deploy it as a sidecar in each pod.

Prerequisites

• Kubernetes cluster

• kubectl command-line tool

• Helm installed

• Qpoint registration token (obtainable from app.qpoint.io)

Install Qpoint Helm Repository

First, add the Qpoint Helm repository:

helm repo add qpoint https://helm.qpoint.io/
helm repo update

Deploy Qpoint Proxy

Deploy Qpoint Proxy using Helm. Replace $TOKEN with your actual registration token:

helm install qpoint-proxy qpoint/qpoint-proxy \
  --set registrationToken="$TOKEN" \
  --namespace qpoint \
  --create-namespace

You can find all configurable options with:

helm show values qpoint/qpoint-proxy

Verify the Deployment

Check if the Qpoint Proxy service is running:

kubectl get pods -n qpoint
kubectl get services -n qpoint

You should see the Qpoint Proxy pod in the "Running" state and the service exposed.

Configure Pods to Use the Proxy

To route traffic through the Qpoint Proxy service, you'll use the qpoint-init container to set up iptables rules. Add the following to your pod specifications:

spec:
  initContainers:
    - name: qpoint-init
      image: us-docker.pkg.dev/qpoint-edge/public/kubernetes-qpoint-init:v0.0.9
      env:
        - name: PORT_MAPPING
          value: "10443:443,10080:80"
        - name: TO_DOMAIN
          value: "qpoint-proxy.qpoint.svc.cluster.local"
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  containers:
    - name: your-main-container
      # Your main container configuration here
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]

Example Pod Configuration

Here's a complete example of a pod configured to use the Qpoint Proxy service:

apiVersion: v1
kind: Pod
metadata:
  name: qpoint-example-pod
spec:
  initContainers:
    - name: qpoint-init
      image: us-docker.pkg.dev/qpoint-edge/public/kubernetes-qpoint-init:v0.0.9
      env:
        - name: PORT_MAPPING
          value: "10443:443,10080:80"
        - name: TO_DOMAIN
          value: "qpoint-proxy.qpoint.svc.cluster.local"
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  containers:
    - name: main-container
      image: curlimages/curl
      command: ["sh", "-c", "while true; do sleep 3600; done"]
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]

Testing the Proxy

To test if the proxy is working:

1. Apply the example pod configuration:

kubectl apply -f qpoint-example-pod.yaml

2. Exec into the pod:

kubectl exec -it qpoint-example-pod -- sh

3. Make a request:

curl -I https://example.com

This request should be routed through the Qpoint Proxy service.

Notes

• The Qpoint Proxy service is accessible cluster-wide at qpoint-proxy.qpoint.svc.cluster.local.

• Adjust the namespace in the service address if you deployed Qpoint Proxy to a different namespace.

• You may need to configure network policies to allow traffic from your pods to the Qpoint Proxy service.

• For SSL inspection, you'll need to install and configure custom CA certificates. Refer to the Qpoint documentation for details on certificate management.

• The qpoint-init container sets up iptables rules to route traffic through the proxy.

• Both the init container and the main container require the NET_ADMIN capability for the iptables rules to work correctly.

This setup allows you to use the Qpoint Proxy as a centralized service for multiple pods or applications in your Kubernetes cluster, with traffic routing handled transparently by qpoint-init.