Advanced Settings
This guide covers advanced configuration options for Spacelift Flows, including deploying in a private VPC, HTTP proxy configuration, and custom CA certificate support.
Private VPC Deployment
Section titled “Private VPC Deployment”To deploy Spacelift Flows in a private VPC where services are not exposed to the public internet:
-
Configure the ingress to use internal scheme:
- In the Helm values, change
alb.ingress.kubernetes.io/schemefrominternet-facingtointernal - Use the internal ingress manifest:
tofu output -raw internal_ingress_manifest | kubectl apply -f -
- In the Helm values, change
-
Ensure your VPC has appropriate networking configured:
- Private subnets with NAT gateway for outbound internet access
- Security groups allowing communication between services
-
Access the deployment through a VPN, bastion host, or other private network connection
Outgoing IPs and Hosts
Section titled “Outgoing IPs and Hosts”Flows makes outbound connections to the following hosts. If you are running in a restricted network environment, ensure these are reachable.
Container Images
Section titled “Container Images”The following images are pulled from public registries at startup:
| Image | Registry | Purpose |
|---|---|---|
public.ecr.aws/w5z2f6e8/spacelift-flows-backend | AWS Public ECR | Backend services |
public.ecr.aws/w5z2f6e8/spacelift-flows-agent | AWS Public ECR | Agent services |
node:24-alpine | Docker Hub | JavaScript runtimes |
JavaScript runtimes can be configured to use a custom image.
Anthropic API
Section titled “Anthropic API”The Flows backend calls the Anthropic Claude API to power the built-in assistant. Anthropic services accept inbound connections from the following IP ranges:
| Protocol | CIDR |
|---|---|
| IPv4 | 160.79.104.0/23 |
| IPv6 | 2607:6bc0::/48 |
Core App Registry
Section titled “Core App Registry”The following endpoint is used to fetch officially supported apps:
| URL | Purpose |
|---|---|
https://registry.useflows.com/core | Core apps |
Community Registry
Section titled “Community Registry”The following endpoint is used to fetch community apps:
| URL | Purpose |
|---|---|
https://registry.useflows.com/community | Community apps |
Community apps are sourced from GitHub. Ensure that https://github.com is also reachable for the community registry to function.
HTTP Proxy Configuration
Section titled “HTTP Proxy Configuration”If your environment requires outbound connections through an HTTP proxy, configure proxy settings for all Spacelift Flows components:
Application Services
Section titled “Application Services”Add proxy environment variables to your Helm values file:
worker: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.local
gateway: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.local
server: extraEnv: - name: HTTP_PROXY value: http://your-proxy.example.com:8080 - name: HTTPS_PROXY value: http://your-proxy.example.com:8080 - name: NO_PROXY value: localhost,127.0.0.1,.cluster.localAgent Configuration
Section titled “Agent Configuration”Specify the http_proxy variable in the agent Terraform module configuration:
module "spacelift_flows_agent_pool" { # ... other configuration ... http_proxy = "http://your-proxy.example.com:8080"}Custom CA Certificates
Section titled “Custom CA Certificates”If your environment uses custom certificate authorities (e.g., for internal services or proxy SSL inspection), you can configure Spacelift Flows to trust additional CA certificates.
Format
Section titled “Format”Provide the custom_ca_certificates variable to both the main Terraform module and the agent Terraform module. The value must be a base64-encoded JSON object with the following structure:
{ "caCertificates": [ "<base64-encoded-cert-1>", "<base64-encoded-cert-2>" ]}Each certificate in the array must be a base64-encoded PEM format certificate.
Example
Section titled “Example”module "spacelift_flows" { # ... other configuration ... custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}
module "spacelift_flows_agent_pool" { # ... other configuration ... custom_ca_certificates = "eyJjYUNlcnRpZmljYXRlcyI6WyJMUz..."}Generating the Value
Section titled “Generating the Value”You can generate the required format using the following script:
# Combine multiple PEM certificates into a single JSON structurejq -n \ --arg cert1 "$(cat ca-cert-1.pem | base64)" \ --arg cert2 "$(cat ca-cert-2.pem | base64)" \ '{caCertificates: [$cert1, $cert2]}' | base64