 MITM Proxy for Kestra
MITM Proxy for Kestra
Configure outbound HTTP/S traffic through an MITM proxy in Kestra.
This guide walks through the steps to route and inspect Kestra's outbound HTTP/S traffic using an MITM proxy.
Why use an MITM proxy
In secured or restricted environments it’s common to route outbound HTTP/S traffic through a Man-in-the-Middle (MITM) proxy for auditing, inspection, or policy enforcement. For this to work seamlessly, clients (Kestra) must:
- Trust the proxy’s CA certificate.
- Route outbound traffic through the proxy.
- Configure the JVM and any auxiliary daemons (e.g., Docker daemon) to use the proxy and truststore.
Security note: An MITM proxy intercepts TLS traffic. Only enable this in controlled environments and with appropriate approvals.
Prerequisites
1. Create a Java truststore with the MITM CA certificate
Import the MITM CA certificate into a Java keystore so the JVM trusts intercepted TLS connections:
keytool -importcert   -alias mitmproxy-ca   -storepass changeit   -keystore truststore.jks   -trustcacerts   -file mitmproxy-ca.crt   -noprompt
Tip: prefer a strong password instead of changeit in production. You can also use PKCS12 by setting -deststoretype PKCS12.
2. (Kubernetes) Create a Secret containing the truststore
Create a Kubernetes secret from the truststore.jks:
kubectl create secret generic kestra-ssl   --from-file=truststore.jks   -n kestra
This secret will be mounted into Kestra pods.
Configuring Kestra to use the MITM proxy
You must update the Kestra configuration and ensure the truststore is available inside the container. Below are suggested changes for both Kubernetes (Helm) and Docker Compose deployments.
1. Micronaut / Kestra configuration
Add proxy settings and truststore configuration to your Kestra configuration (merged via Helm configurations.application or a config file):
# values.yaml (or application.yml configuration)
configuration:
  micronaut:
    http:
      client:
        proxy-address: "your.proxy.net:8000"
        proxy-type: HTTP
  server:
    ssl:
      clientAuthentication: want
      trustStore:
        path: "file:/app/ssl/truststore.jks"
        password: "changeit"
        type: "JKS"
2. Mount the truststore inside the container
Kubernetes (Helm values.yaml)
extraVolumeMounts:
  - name: ssl-secret
    mountPath: "/app/ssl"
    readOnly: true
extraVolumes:
  - name: ssl-secret
    secret:
      secretName: kestra-ssl
Docker Compose
services:
  kestra:
    volumes:
      - kestra-data:/app/storage
      - /var/run/docker.sock:/var/run/docker.sock
      - tmp-kestra:/tmp/kestra-wd
      - ./ssl:/app/ssl   # ensure ./ssl/truststore.jks exists on host
3. JVM environment variables (JAVA_OPTS)
Kubernetes (values.yaml)
extraEnv:
  - name: JAVA_OPTS
    value: >-
      -Djavax.net.ssl.trustStore=/app/ssl/truststore.jks
      -Djavax.net.ssl.trustStorePassword=changeit
      -Djavax.net.ssl.trustStoreType=JKS
      -Dhttp.proxyHost=your.proxy.net
      -Dhttp.proxyPort=8000
      -Dhttps.proxyHost=your.proxy.net
      -Dhttps.proxyPort=8000
      -Dhttp.nonProxyHosts=localhost|127.0.0.1|kubernetes.default.svc|.svc|.cluster.local|your.nexus.domain.com|kestra-minio
Docker Compose
services:
  kestra:
    environment:
      - JAVA_OPTS=-Djavax.net.ssl.trustStore=/app/ssl/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.trustStoreType=JKS -Dhttp.proxyHost=your.proxy.net -Dhttp.proxyPort=8000 -Dhttps.proxyHost=your.proxy.net -Dhttps.proxyPort=8000 -Dhttp.nonProxyHosts=localhost|127.0.0.1|your.nexus.domain.com
Troubleshooting
- TLS handshake errors
Verify truststore.jkscontains the correct CA (keytool -list -keystore truststore.jks).
- Requests not reaching the proxy
Confirm http.proxyHost/https.proxyHostandhttp.nonProxyHostsare correct.
- Docker image pull failures
Add the MITM CA to Docker daemon certs (/etc/docker/certs.d/.../ca.crt).
- Debugging TLS
Temporarily enable: -Djavax.net.debug=ssl,handshake.
Was this page helpful?
