Advanced usage

Some edge use-cases might not have been included in the previous installation documentation, for clarity purposes. You may find some of them below.

Running behind a Docker registry proxy

If your installation environment requires you to whitelist images that can be pulled by the Kubernetes cluster, you must whitelist the registry.evertrust.io/horizon and registry.evertrust.io/horizon-upgrade images.

Leases

To ensure clustering issues get resolved as fast as possible, Horizon can use a CRD (Custom Resource Definition) named Lease (akka.io/v1/leases). We strongly recommend that you use this mechanism, however it implies that you have the necessary permissions to install CRDs onto your server. In case you don’t, the feature can be disabled by passing the --skip-crds flag to the Helm command when installing the chart, and setting the leases.enabled key to false. If you want to manually install the CRD, you can check the crds/leases.yml file.

Injecting extra configuration

Extra Horizon configuration can be injected to the bundled application.conf file to modify low-level behavior of Horizon. This should be used carefully as it may cause things to break. To do so, just mount a folder in the Horizon container at /horizon/etc/conf.d/ containing a custom.conf file.

This can be done with the following edits to your values.yaml file :

extraVolumes:
  - name: additional-config
    configMap:
      name: additional-config

extraVolumeMounts:
  - name: additional-config
    mountPath: /horizon/etc/conf.d

Where the additional-config configmap contains a single key with your custom configuration :

apiVersion: v1
kind: ConfigMap
data:
  custom.conf: |-
    play.server.http.port = 9999

Extra configurations are included at the end of the config file, overriding any previously set config value.

Manual ingress configuration

If you do not wish or cannot use autoconfiguration, you should ensure your ingress controller is correctly configured to enable all Horizon features.

When requiring client certificates for authentication, the web server should not perform checks to validate that the certificate is signed by a trusted CA. Instead, the certificate should be sent to Horizon through a request header, base64-encoded. The header name used can be controlled using the clientCertificateHeader.
Some endpoints should not be server over HTTPS, and some should always ask for a client certificate. Refer to the matrix below to understand how to correctly configure your ingress controller to enjoy a full-featured Horizon install.

Enrollement protocol Endpoints Expected behavior

Enrollement protocol	Endpoints	Expected behavior
SCEP	`/scep` `/certsrv` `/certSrv` `/intune` `/jamf`	Never ask for a client certificate. Serve over both HTTP (preferably supporting 1.0) and HTTPS.
EST	`/.well-known/est`	Always ask for an optional client certificate.
ACME	`/acme`	Never ask for a client certificate.
WCCE	`/api/v1/wcce`	Always ask for an optional client certificate.
-	`*`	May ask for a client certificate if requested by the user.

SCEP

/scep
/certsrv
/certSrv
/intune
/jamf

Never ask for a client certificate. Serve over both HTTP (preferably supporting 1.0) and HTTPS.

EST

/.well-known/est

Always ask for an optional client certificate.

ACME

/acme

Never ask for a client certificate.

WCCE

/api/v1/wcce

Always ask for an optional client certificate.

*

May ask for a client certificate if requested by the user.