# Advanced Settings

This guide covers advanced configuration options for Spacelift Flows, including deploying in a private VPC, HTTP proxy configuration, and custom CA certificate support.

## Private VPC Deployment
[Section titled “Private VPC Deployment”](#private-vpc-deployment)
To deploy Spacelift Flows in a private VPC where services are not exposed to the public internet:

 1. Configure the ingress to use internal scheme:

 - In the Helm values, change `alb.ingress.kubernetes.io/scheme` from `internet-facing` to `internal`
 - Use the internal ingress manifest: `tofu output -raw internal_ingress_manifest | kubectl apply -f -`
 1. Ensure your VPC has appropriate networking configured:

 - Private subnets with NAT gateway for outbound internet access
 - Security groups allowing communication between services
 1. Access the deployment through a VPN, bastion host, or other private network connection

## HTTP Proxy Configuration
[Section titled “HTTP Proxy Configuration”](#http-proxy-configuration)
If your environment requires outbound connections through an HTTP proxy, configure proxy settings for all Spacelift Flows components:

### Application Services
[Section titled “Application Services”](#application-services)
Add proxy environment variables to your Helm values file:


**

```
worker:  extraEnv:    - name: HTTP_PROXY      value: http://your-proxy.example.com:8080    - name: HTTPS_PROXY      value: http://your-proxy.example.com:8080    - name: NO_PROXY      value: localhost,127.0.0.1,.cluster.local
gateway:  extraEnv:    - name: HTTP_PROXY      value: http://your-proxy.example.com:8080    - name: HTTPS_PROXY      value: http://your-proxy.example.com:8080    - name: NO_PROXY      value: localhost,127.0.0.1,.cluster.local
server:  extraEnv:    - name: HTTP_PROXY      value: http://your-proxy.example.com:8080    - name: HTTPS_PROXY      value: http://your-proxy.example.com:8080    - name: NO_PROXY      value: localhost,127.0.0.1,.cluster.local
```

### Agent Configuration
[Section titled “Agent Configuration”](#agent-configuration)
Specify the `http_proxy` variable in the agent Terraform module configuration:


**

```
module "spacelift_flows_agent_pool" {  # ... other configuration ...  http_proxy = "http://your-proxy.example.com:8080"}
```

## Custom CA Certificates
[Section titled “Custom CA Certificates”](#custom-ca-certificates)
If your environment uses custom certificate authorities (e.g., for internal services or proxy SSL inspection), you can configure Spacelift Flows to trust additional CA certificates.

### Format
[Section titled “Format”](#format)
Provide the `custom_ca_certificates` variable to both the main Terraform module and the agent Terraform module. The value must be a base64-encoded JSON object with the following structure:


**

```
{  "caCertificates": [    "<base64-encoded-cert-1>",    "<base64-encoded-cert-2>"  ]}
```

Each certificate in the array must be a base64-encoded PEM format certificate.

### Example
[Section titled “Example”](#example)

**

```
module "spacelift_flows" {  # ... other configuration ...  custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}
module "spacelift_flows_agent_pool" {  # ... other configuration ...  custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}
```

### Generating the Value
[Section titled “Generating the Value”](#generating-the-value)
You can generate the required format using the following script:


*Terminal window*

```
# Combine multiple PEM certificates into a single JSON structurejq -n \  --arg cert1 "$(cat ca-cert-1.pem | base64)" \  --arg cert2 "$(cat ca-cert-2.pem | base64)" \  '{caCertificates: [$cert1, $cert2]}' | base64
```