Skip to content

Aptori Proxy Deployment Guide

Aptori Proxy is provided as a container image and a Helm Chart that may be used to deploy the proxy to a Kubernetes cluster.

Prerequisites

  • TLS certificate with private key, saved as proxy-cert.crt and proxy-key.pem
  • JWKS file with the public key from the Aptori Platform, saved as jwks.json
  • A Docker registry access key for pulling the aptori/proxy container image
  • Load balancer for Kubernetes cluster configured to route HTTP CONNECT requests to Aptori Proxy container. See Cloud Provider Configuration.

Deployment Steps

Deployment of Aptori Proxy consists of 4 steps.

  1. Download the JWKS from the Admin Portal of an Aptori Platform.
  2. Create values.yaml file with configuration settings for the Helm Chart.
  3. Create Kubernetes secrets.
  4. Run Helm to deploy the Aptori Proxy.

Step 1 - Download JWKS

Aptori Proxy only allows authenticated requests to connect to a target server. Sift obtains an access token to use Aptori Proxy from the Aptori Platform. The Aptori Platform publishes a JWKS containing a public key that the Aptori Proxy uses to validate access tokens issued by the Aptori Platform.

The JWKS containing the Aptori Platform's public key must be provided to the Aptori Proxy at time of deployment. Follow these steps to create a jwks.json file.

  • In the Admin Portal of the Aptori Platform, navigate to your Organization and select the gear icon to view the Organization's Settings.
  • Navigate to the "Key Settings" tab.
  • Copy the Public Key. If the key is empty or you wish to rotate the key pair, click "Generate New Key".
  • Create a file named jwks.json with the copied contents.

Step 2 - Create values.yaml

Create a values.yaml file with configuration parameters for Aptori Proxy. Follow the examples below for the cloud provider on which you will host Aptori Proxy. The .loadBalancer.annotations configure the ingress load balancer of the Kubernetes cluster to route HTTP CONNECT requests to the Aptori Proxy container.

Google Cloud Platform (GCP) Example

loadBalancer:
  annotations:
    cloud.google.com/l4-rbs: "enabled"
    cloud.google.com/load-balancer-type: "External"

proxy:
  port: "8443"
  image: aptori/proxy:25.8.1
  imagePullPolicy: Always
  imagePullSecret: imagekey
  secretMountPath: /mnt/aps
  secretVolumeName: apsvol
  secretName: "apsecret"

Amazon Web Services (AWS) Example

loadBalancer:
  class: eks.amazonaws.com/nlb # AWS
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    ## ** Replace values in the following line with your Elastic IP allocations **
    service.beta.kubernetes.io/aws-load-balancer-eip-allocations: "eipalloc-XXXXXXX,eipalloc-XXXXXXX,eipalloc-XXXXXXX"

proxy:
  port: "8443"
  image: aptori/proxy:25.8.1
  imagePullPolicy: Always
  imagePullSecret: imagekey
  secretMountPath: /mnt/aps
  secretVolumeName: apsvol
  secretName: apsecret

You may need to add elastic IP association annotations, as described under "Example AWS EKS installation in a new cluster" below.

Step 3 - Create Kubernetes Namespace and Secrets

On the destination cluster, create a namespace into which Aptori Proxy will be deployed.

kubectl create namespace aptori-proxy

If you choose to use an existing namespace, be sure that names of the secrets created below do not conflict with existing secrets (or change secretName and imagePullSecret accordingly).

Next, create the apsecret secret that contains data for Aptori Proxy. The JWKS file is from Step 1. You must provide the TLS certificate and private key for the domain name at which Aptori Proxy is deployed.

kubectl -n aptori-proxy create secret generic apsecret \
    --from-file=jwks.json \
    --from-file=proxy-cert.crt \
    --from-file=proxy-key.pem

Finally, create the imagekey secret that contains the container registry key to authenticate with Docker Hub. The registry key file will be provided to you by Aptori (same as for Aptori Platform images).

kubectl -n aptori-proxy create secret docker-registry imagekey \
    --docker-server https://index.docker.io/v1/ \
    --docker-username aptori \
    --docker-password="$(cat <registry-key-file>)"

Step 4 - Deploy using Helm

Run Helm to install Aptori Proxy. Use the values.yaml file that you created in Step 2.

helm install aptori-proxy \
    oci://registry-1.docker.io/aptori/aptori-proxy \
    --namespace aptori-proxy \
    --values values.yaml

The above command installs an application named "aptori-proxy" in Kubernetes namespace "aptori-proxy".

Cloud Provider Configuration

Review the cloud provider configuration for your cloud provider's ingress load balancer.

AWS EKS installation in a new cluster

Create the cluster in auto mode:

eksctl create cluster --name=<cluster-name> --enable-auto-mode

Follow the steps in AWS docs to install the AWS Load Balancer Controller. When installing the controller Helm chart, adding VPC ID manually may be necessary.

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<cluster name> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller \
  --set region=<region> \
  --set vpcId=<vpc-id>

Get subnet IDs:

aws eks describe-cluster --name <cluster-name>  --region <region> --query 'cluster.resourcesVpcConfig.subnetIds'

Create a matching number (3 subnets in this example) of Elastic IP allocations, note their IPs and association IDs:

aws ec2 allocate-address --region <region> --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=ap-static-ip-1},{Key=Purpose,Value=kubernetes-nlb}]'
aws ec2 allocate-address --region <region> --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=ap-static-ip-2},{Key=Purpose,Value=kubernetes-nlb}]'
aws ec2 allocate-address --region <region> --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=ap-static-ip-3},{Key=Purpose,Value=kubernetes-nlb}]'

Add the IDs to values.yaml before installing the Aptori Proxy chart.

NOTE: This example uses Auto mode cluster which has subnets in 3 availability zones but its Kubernetes node that contains the workload only runs in one of them. The Aptori Proxy will be listening on the external IP that is associated with the subnet in that zone.

Google Cloud GKE installation in a new cluster

In Cloud Console, create a new Autopilot cluster, accepting default values. Prepare your local environment to use the cluster by adding a kubectl context with the Google Cloud CLI.

gcloud container clusters get-credentials <cluster-name> --region <region> --project <project-name>

Follow the Helm Chart installation steps. Once the chart is installed, get services in the aptori-proxy namespace.

kubectl get service -n aptori-proxy

Aptori Proxy will be listening on the 'EXTERNAL-IP' address listed for the load balancer service.