Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

How to configure AtScale Proxy

Overview

The AtScale proxy service is a wrapper of the Nginx Helm Chart with pre-configured routing to all AtScale services.

a) Certificates

TLS certificates can be provided by three different ways:

  1. (Default) Auto generated, by leaving the section global.atscale.tls empty. This way a self-signed certificate for the global.ingressDomain will be generated by our application and saved to default-certificate Secret;

    Example Values Override file:

     
    global: ingressDomain: "atscale.yourcompany.example"

     

  2. Provided on the Values Override file, by filling out the global.atscale.tlsCrtglobal.atscale.tlsKey and optionally the global.atscale.caCerts parameters, all Base64 encoded, which will be saved to default-certificate Secret;

    Example Values Override file:

     
    global: ingressDomain: "atscale.yourcompany.example" tls: tlsCrt: LS0tLS1CR... tlsKey: LS0tLS1CR... caCerts: LS0tLS1CR...

     

  3. Via Secret, with tls.keytls.crt and ca.crt keys. The Secret name should be provided to both the global.atscale.tls.existingSecret and atscale-proxy.tls.existingSecret sections.

    Example Secret manifest:

     
    type: kubernetes.io/tls apiVersion: v1 kind: Secret metadata: namespace: atscale data: tls.crt: LS0tLS1CR... tls.key: LS0tLS1CR... ca.crt: LS0tLS1CR...


    Example Values Override file:

     
    global: ingressDomain: "atscale.yourcompany.example" atscale: tls: existingSecret: "my-certificate" atscale-proxy: tls: existingSecret: "my-certificate"

b) Routing

There are two different methods of reaching AtScale services from outside:

  1. (Default) Service: All configurations related to the proxy service are within the atscale-proxy.service section. In this configuration, the AtScale Proxy will handle the TLS termination, using the certificate set on global.atscale.tls (or the generated self-signed certificate), and HTTP 2.0 will be set as default.

    Example Values Override for a Load Balancer with 3 replicas

     
    atscale-proxy: replicaCount: 3 service: type: LoadBalancer


    Example Values Override for an AWS Load Balancer:

     
    atscale-proxy: annotations: service.beta.kubernetes.io/aws-load-balancer-scheme: internal service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-type: nlb service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance service: type: LoadBalancer


    Example Values Override for an Azure Load Balancer:

     
    atscale-proxy: annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true" service.beta.kubernetes.io/azure-load-balancer-ipv4: 10.240.0.25 service: type: LoadBalancer

     

    Example Values Override for a Google Cloud Load Balancer:

     
    atscale-proxy: annotations: networking.gke.io/load-balancer-type: "Internal" networking.gke.io/load-balancer-ip-addresses: "10.240.0.25" kubernetes.io/ingress.global-static-ip-name: my-static-address service: type: LoadBalancer

     

  2. Ingress: All configurations related to the proxy service are within the atscale-proxy.ingress section. In order to enable, set atscale-proxy.ingress.enabled to true. In this configuration, the AtScale Proxy will not deal will TLS termination, HTTP 1.1 will be set as default, and the certificate global.atscale.tls (or the generated self-signed certificate) will be attached to the Ingress.

    Example Values Override using an Ingress, with the default ingress class being nginx

     
    atscale-proxy: ingress: enabled: true ingressClassName: "nginx"


    Note on TCP Connections when using Ingress
    The communication between the AtScale Engine and external applications, such as Tableau, also take place using the Postgres Wire protocol, via the TCP Port 15432.

    This port is also exposed via the atscale-proxy service, however when using the Ingress, only HTTPS connections are allowed. Therefore, it is necessary to use Firewall rules or other proxy available in order to allow the access via port 15432.

    A tutorial on how to expose TCP Ports using the Nginx Ingress Controller can be found here:Exposing TCP and UDP services - Ingress-Nginx Controller, and for Traefik here Traefik Routers Documentation - Traefik .

Upgrade Considerations from 2025.2.1 and earlier versions

Important: If nginxproxy is not being used, no action is needed.

All the settings in the nginxproxy section of the Values Override file should be migrated accordingly to atscale-proxy. Notably:

  1. All annotations from nginxproxy.service.annotations should be migrated to atscale-proxy.service.annotations;

  2. All routes created to the nginx service should now be redirected to atscale-proxy service;

  3. OpenShift Routes, Istio VirtualServices, and other environment-specific routing Custom Resources should be reviewed, point the routes to the correct atscale-proxy service