How to add external access with authentication to K8s deployment?

marvin-hansen · January 19, 2020, 6:43pm

Cluster information:

Kubernetes version: 1.14.8-gke.12
Cloud being used: GKE
Dgraph version: Master (Jan/19/2020)

Goal

Add authentication & TLS to access DGraph & Ratel securely from outside the cluster.

Installation

I have installed Dgraph usings the latest helm chart and that keeps all services internally as ClusterIP. After the setup, I got the following pods:

web goci-dgraph-alpha ClusterIP 10.126.9.214 8080/TCP,9080/TCP
web goci-dgraph-alpha-headless ClusterIP None 7080/TCP
web goci-dgraph-ratel ClusterIP 10.126.10.114 8000/TCP
web goci-dgraph-zero ClusterIP 10.126.2.66 5080/TCP,6080/TCP
web goci-dgraph-zero-headless ClusterIP None 5080/TCP

Verification

I can port-forward locally and acces the DB & Ratel like so:

kubectl port-forward dgraph-alpha-0 8080
kubectl port-forward dgraph-ratel 8000

That stuff works.

Complication

However, external access through a conventional LoadBalancer falls flat because in that case, there is no authentication and encrypted connection. Adding a default ingress that allows easy auth, simple routing & TLS, however, also falls flat because it isn’t support in the DGraph Helm chart. I already opened an issue:

https://github.com/dgraph-io/dgraph/issues/4616

Adding a reverse http proxy, however, while feasible feels a little bit overkill here.

Current try:

For now, the best I can do is to an ingress controller manually to access the alpha & ratel node from the outside world and that that is where the real headache starts.

First, I made a TLS secret like so:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj “/CN=nginxsvc/O=nginxsvc”

$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt

Next, I wrote an ingress.yaml like so:

https://github.com/marvin-hansen/ngnix-k8s/blob/master/Ingress.yaml

And I added a service.yaml like so:
https://github.com/marvin-hansen/ngnix-k8s/blob/master/service.yaml

Then, I added an A record to the domain so that it points to the public IP of the LoadBalancer.

However, the above config doesn’t work and I get no connection.

What am I doing wrong?

Also, this is not about exposing the DB & Ratel, but ultimately about using an ingress controller for adding missing TLS & authentication to secure the DB while ensuring external access.

Also, is there a simpler way to add even basic security to ensure secured remote access to Dgraph?

I don’t mind sharing a working config, but getting there is surprisingly hard.

Any help is most welcome.

TIA

system · February 18, 2020, 6:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dgraph TLS with the Dgraph helm charts Dgraph	4	1079	February 20, 2021
Can a ingress be added for ratel? Issues untagged , charts	4	893	August 14, 2020
Better practice... Google TLS ingress to non-encrypted backend vs. TLS to Dgraph Users discussion	3	845	October 2, 2020
Grpc access from kubernetes Dgraph Clients	6	653	February 3, 2023
Dgraph Ratel error in EKS Dgraph	3	639	June 8, 2020