Kubernetes version: 1.14.8-gke.12
Cloud being used: GKE
Dgraph version: Master (Jan/19/2020)
Add authentication & TLS to access DGraph & Ratel securely from outside the cluster.
I have installed Dgraph usings the latest helm chart and that keeps all services internally as ClusterIP. After the setup, I got the following pods:
web goci-dgraph-alpha ClusterIP 10.126.9.214 8080/TCP,9080/TCP
web goci-dgraph-alpha-headless ClusterIP None 7080/TCP
web goci-dgraph-ratel ClusterIP 10.126.10.114 8000/TCP
web goci-dgraph-zero ClusterIP 10.126.2.66 5080/TCP,6080/TCP
web goci-dgraph-zero-headless ClusterIP None 5080/TCP
I can port-forward locally and acces the DB & Ratel like so:
kubectl port-forward dgraph-alpha-0 8080
kubectl port-forward dgraph-ratel 8000
That stuff works.
However, external access through a conventional LoadBalancer falls flat because in that case, there is no authentication and encrypted connection. Adding a default ingress that allows easy auth, simple routing & TLS, however, also falls flat because it isn’t support in the DGraph Helm chart. I already opened an issue:
Adding a reverse http proxy, however, while feasible feels a little bit overkill here.
For now, the best I can do is to an ingress controller manually to access the alpha & ratel node from the outside world and that that is where the real headache starts.
First, I made a TLS secret like so:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj “/CN=nginxsvc/O=nginxsvc”
$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt
Next, I wrote an ingress.yaml like so:
And I added a service.yaml like so:
Then, I added an A record to the domain so that it points to the public IP of the LoadBalancer.
However, the above config doesn’t work and I get no connection.
What am I doing wrong?
Also, this is not about exposing the DB & Ratel, but ultimately about using an ingress controller for adding missing TLS & authentication to secure the DB while ensuring external access.
Also, is there a simpler way to add even basic security to ensure secured remote access to Dgraph?
I don’t mind sharing a working config, but getting there is surprisingly hard.
Any help is most welcome.