|
| 1 | +--- |
| 2 | +title: Proxy Support for Custom HTTP Source CRD Download Strategy in Karmada Operator |
| 3 | +authors: |
| 4 | +- "@jabellard" |
| 5 | +reviewers: |
| 6 | +- "@RainbowMango" |
| 7 | +approvers: |
| 8 | +- "@RainbowMango" |
| 9 | + |
| 10 | +creation-date: 2025-07-27 |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +# Proxy Support for Custom HTTP Source CRD Download Strategy in Karmada Operator |
| 15 | + |
| 16 | +## Summary |
| 17 | + |
| 18 | +This proposal extends the custom HTTP source CRD download strategy for the Karmada operator by adding support for specifying a proxy server to be used when downloading the CRD tarball from an HTTP source. |
| 19 | +This enhancement aims to increase compatibility with restrictive corporate environments where cross-network traffic is mediated through a proxy. |
| 20 | + |
| 21 | +## Motivation |
| 22 | + |
| 23 | +In enterprise environments, especially those with strict network security policies, cross-network traffic often must be mediated through a proxy server. |
| 24 | +Currently, the Karmada operator's custom HTTP source CRD download strategy allows specifying an HTTP(S) URL as the source for the CRD tarball but does not support proxy configuration. |
| 25 | +This limitation prevents the operator from functioning correctly in such restricted environments. By adding support for specifying a proxy, we can ensure that the Karmada operator |
| 26 | +is flexible and adaptable to diverse network configurations. |
| 27 | + |
| 28 | +## Goals |
| 29 | + |
| 30 | +- Enable proxy configuration for downloading CRD tarballs from custom HTTP/HTTPS sources. |
| 31 | +- Maintain backward compatibility by keeping the proxy field optional. |
| 32 | +- Ensure that the proxy configuration, if specified, is honored when downloading CRDs in both `Always` and `IfNotPresent` policies. |
| 33 | + |
| 34 | +## Proposal |
| 35 | + |
| 36 | +This proposal extends the `HTTPSource` type in the Karmada CRD specification to include an optional `Proxy` field. This field, when set, will specify the configuration of a proxy server to use when downloading the CRD tarball. |
| 37 | + |
| 38 | +### API Changes |
| 39 | + |
| 40 | +Update the `HTTPSource` type as follows: |
| 41 | + |
| 42 | +```go |
| 43 | +// HTTPSource specifies how to download the CRD tarball via either HTTP or HTTPS protocol. |
| 44 | +type HTTPSource struct { |
| 45 | + // URL specifies the URL of the CRD tarball resource. |
| 46 | + URL string `json:"url,omitempty"` |
| 47 | + |
| 48 | + // Proxy specifies the configuration of a proxy server to use when downloading the CRD tarball. |
| 49 | + // When set, the operator will use the configuration to determine how to establish a connection to the proxy to fetch the tarball from the URL specified above. |
| 50 | + // This is useful in environments where direct access to the server hosting the CRD tarball is restricted and a proxy must be used to reach that server. |
| 51 | + // If a proxy configuration is not set, the operator will attempt to download the tarball directly from the URL specified above without using a proxy. |
| 52 | + // +optional |
| 53 | + Proxy *ProxyConfig `json:"proxy,omitempty"` |
| 54 | +} |
| 55 | + |
| 56 | +// ProxyConfig defines the configuration for a proxy server to use when downloading a CRD tarball. |
| 57 | +type ProxyConfig struct { |
| 58 | + // ProxyURL specifies the HTTP/HTTPS proxy server URL to use when downloading the CRD tarball. |
| 59 | + // This is useful in environments where direct access to the server hosting the CRD tarball is restricted and a proxy must be used to reach that server. |
| 60 | + // The format should be a valid URL, e.g., "http://proxy.example.com:8080". |
| 61 | + // +kubebuilder:validation:Required |
| 62 | + ProxyURL string `json:"proxyURL"` |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +### Behavior |
| 67 | + |
| 68 | +- If the `Proxy` field is set, the operator will configure the HTTP client to route requests through the specified proxy. |
| 69 | +- If the `Proxy` field is not set, the HTTP client will behave as it does today (i.e., direct connection or system-level proxy settings). |
| 70 | +- The proxy setting will apply only to the download of the CRD tarball. It will not affect other HTTP operations performed by the operator. |
| 71 | + |
| 72 | +### Caching Behavior |
| 73 | + |
| 74 | +This proposal does not alter the caching logic. The cache key for a given CRD tarball will continue to be derived from the URL alone. The proxy does not affect the identity of the downloaded content and therefore does not contribute to the cache key. |
| 75 | + |
| 76 | +### Design Considerations |
| 77 | + |
| 78 | +- **Extensibility**: The design allows for future support of authentication or SOCKS proxies if needed. |
| 79 | + |
| 80 | +### Alternatives Considered |
| 81 | + |
| 82 | +- Using environment variables to configure the proxy. This was rejected because it lacks the granularity and clarity of defining proxy settings on a per-resource basis within the CRD. |
| 83 | + |
| 84 | +### Implementation Plan |
| 85 | + |
| 86 | +- Extend the `HTTPSource` struct to include the `Proxy` field. |
| 87 | +- Update the CRD schema and validation logic. |
| 88 | +- Modify the download logic to honor the `Proxy` setting when set. |
| 89 | + |
| 90 | +### Test Plan |
| 91 | + |
| 92 | +- E2E tests in an environment requiring a proxy to ensure successful CRD downloads. |
| 93 | +- E2E tests to verify that the behavior remains unchanged when the `Proxy` field is omitted. |
0 commit comments