Advanced Settings
This guide covers advanced configuration options for Spacelift Flows, including deploying in a private VPC, HTTP proxy configuration, and custom CA certificate support.
Private VPC Deployment
Section titled “Private VPC Deployment”To deploy Spacelift Flows in a private VPC where services are not exposed to the public internet:
-
Configure the ingress to use internal scheme:
- In the Helm values, change
alb.ingress.kubernetes.io/schemefrominternet-facingtointernal - Use the internal ingress manifest:
tofu output -raw internal_ingress_manifest | kubectl apply -f -
- In the Helm values, change
-
Ensure your VPC has appropriate networking configured:
- Private subnets with NAT gateway for outbound internet access
- Security groups allowing communication between services
-
Access the deployment through a VPN, bastion host, or other private network connection
HTTP Proxy Configuration
Section titled “HTTP Proxy Configuration”If your environment requires outbound connections through an HTTP proxy, configure proxy settings for all Spacelift Flows components:
Application Services
Section titled “Application Services”Add proxy environment variables to your Helm values file:
worker: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.local
gateway: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.local
server: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.localAgent Configuration
Section titled “Agent Configuration”Specify the http_proxy variable in the agent Terraform module configuration:
module "spacelift_flows_agent_pool" { # ... other configuration ... http_proxy = "http://your-proxy.example.com:8080"}Custom CA Certificates
Section titled “Custom CA Certificates”If your environment uses custom certificate authorities (e.g., for internal services or proxy SSL inspection), you can configure Spacelift Flows to trust additional CA certificates.
Format
Section titled “Format”Provide the custom_ca_certificates variable to both the main Terraform module and the agent Terraform module. The value must be a base64-encoded JSON object with the following structure:
{ "caCertificates": [ "<base64-encoded-cert-1>", "<base64-encoded-cert-2>" ]}Each certificate in the array must be a base64-encoded PEM format certificate.
Example
Section titled “Example”module "spacelift_flows" { # ... other configuration ... custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}
module "spacelift_flows_agent_pool" { # ... other configuration ... custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}Generating the Value
Section titled “Generating the Value”You can generate the required format using the following script:
# Combine multiple PEM certificates into a single JSON structurejq -n \ --arg cert1 "$(cat ca-cert-1.pem | base64)" \ --arg cert2 "$(cat ca-cert-2.pem | base64)" \ '{caCertificates: [$cert1, $cert2]}' | base64