Skip to main content
The Remote Operator maintains a bidirectional gRPC session with controller.sawmills.ai and can emit Prometheus remote-write traffic. The Sawmills Collector sends telemetry data to Sawmills services. Some customers must route every outbound internet connection through an egress proxy. This guide explains how to enable that flow while keeping TLS endpoints pointed at Sawmills services.

Prerequisites

  • Remote Operator chart version 2.0.9 or later (proxy values are not present in older releases). See GitHub releases for the latest version.
  • Sawmills Collector chart version 2.8.3 or later with proxy support. See GitHub releases for the latest version.
  • An HTTP/HTTPS CONNECT proxy reachable from the cluster, including credentials if the proxy requires authentication.
  • Access to update Helm values (either values.yaml or CLI --set flags).

Configure proxy values via Helm

Both charts expose a proxy block that maps directly to the pod environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY. The configuration structure is identical for both components.

Remote Operator configuration

Populate the proxy fields in your Remote Operator values file: 
proxy:
  http: http://user:pass@corp-proxy.example.com:3128
  https: http://user:pass@corp-proxy.example.com:3128
  noProxy:
    - kubernetes.default.svc
    - 10.0.0.0/8
    - 169.254.169.254
Then upgrade the release: 
helm upgrade --install sawmills-remote-operator oci://public.ecr.aws/s7a5m1b4/sawmills-remote-operator-chart \
  --namespace sawmills \
  --values values.yaml
The operator keeps the TLS Server Name set to controller.sawmills.ai, so the proxy only tunnels the TCP stream while the certificate remains valid.

Sawmills Collector configuration

For the Sawmills Collector, configure the proxy in the same way. If you’re managing the collector via the Remote Operator, add the proxy configuration under managedChartsValues (the legacy key managedCharts still works as an alias): 
managedChartsValues:
  sawmills-collector:
    proxy:
      http: http://user:pass@corp-proxy.example.com:3128
      https: http://user:pass@corp-proxy.example.com:3128
      noProxy:
        - kubernetes.default.svc
        - 10.0.0.0/8
        - 169.254.169.254
If you’re installing the collector chart directly, add the proxy block to the collector’s values file: 
proxy:
  http: http://user:pass@corp-proxy.example.com:3128
  https: http://user:pass@corp-proxy.example.com:3128
  noProxy:
    - kubernetes.default.svc
    - 10.0.0.0/8
    - 169.254.169.254
The collector keeps TLS Server Names set to Sawmills service endpoints, so the proxy only tunnels the TCP stream while certificates remain valid.

CLI-only configuration

You can also pass the values without editing a file. For the Remote Operator: 
helm upgrade --install sawmills-remote-operator oci://public.ecr.aws/s7a5m1b4/sawmills-remote-operator-chart \
  --namespace sawmills \
  --set proxy.http="http://$USER:$HOSTNAME@proxy.corp:32281" \
  --set proxy.https="http://$USER:$HOSTNAME@proxy.corp:32281" \
  --set proxy.noProxy[0]="kubernetes.default.svc" \
  --set proxy.noProxy[1]="10.4.0.0/16"
For the Sawmills Collector (when managed by Remote Operator): 
helm upgrade --install sawmills-remote-operator oci://public.ecr.aws/s7a5m1b4/sawmills-remote-operator-chart \
  --namespace sawmills \
  --set managedChartsValues.sawmills-collector.proxy.http="http://$USER:$HOSTNAME@proxy.corp:32281" \
  --set managedChartsValues.sawmills-collector.proxy.https="http://$USER:$HOSTNAME@proxy.corp:32281" \
  --set managedChartsValues.sawmills-collector.proxy.noProxy[0]="kubernetes.default.svc" \
  --set managedChartsValues.sawmills-collector.proxy.noProxy[1]="10.4.0.0/16"

NO_PROXY formatting rules

proxy.noProxy accepts either:
  • A YAML list (recommended) that will be joined with commas, or
  • A raw comma-separated string.
Include every cluster-local CIDR, service DNS name, or metadata endpoint you want to bypass the proxy. Both components only proxy traffic bound for Sawmills services; Kubernetes API calls stay inside the cluster regardless of this list.

Observing proxy configuration

Remote Operator

When proxy variables are detected, the Remote Operator logs a single informational line similar to: 
info component=remote-operator http_proxy=http://redacted:redacted@corp-proxy:3128 no_proxy=kubernetes.default.svc,10.0.0.0/8 msg="Detected outbound proxy configuration for Sawmills traffic"

Sawmills Collector

The Sawmills Collector uses the proxy environment variables automatically when present. To verify the configuration, check that the environment variables are set in the pod: 
kubectl exec -n sawmills deployment/sawmills-collector -- env | grep -i proxy
Credentials are redacted in logs. If you do not see the expected behavior, verify that the Helm values rendered into the pod (use kubectl describe deployment or kubectl exec env).