How to add external access with authentication to K8s deployment?

Cluster information:

Kubernetes version: 1.14.8-gke.12
Cloud being used: GKE
Dgraph version: Master (Jan/19/2020)


Add authentication & TLS to access DGraph & Ratel securely from outside the cluster.


I have installed Dgraph usings the latest helm chart and that keeps all services internally as ClusterIP. After the setup, I got the following pods:

web goci-dgraph-alpha ClusterIP 8080/TCP,9080/TCP
web goci-dgraph-alpha-headless ClusterIP None 7080/TCP
web goci-dgraph-ratel ClusterIP 8000/TCP
web goci-dgraph-zero ClusterIP 5080/TCP,6080/TCP
web goci-dgraph-zero-headless ClusterIP None 5080/TCP


I can port-forward locally and acces the DB & Ratel like so:

kubectl port-forward dgraph-alpha-0 8080
kubectl port-forward dgraph-ratel 8000

That stuff works.


However, external access through a conventional LoadBalancer falls flat because in that case, there is no authentication and encrypted connection. Adding a default ingress that allows easy auth, simple routing & TLS, however, also falls flat because it isn’t support in the DGraph Helm chart. I already opened an issue:

Adding a reverse http proxy, however, while feasible feels a little bit overkill here.

Current try:

For now, the best I can do is to an ingress controller manually to access the alpha & ratel node from the outside world and that that is where the real headache starts.

First, I made a TLS secret like so:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj “/CN=nginxsvc/O=nginxsvc”

$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt

Next, I wrote an ingress.yaml like so:

And I added a service.yaml like so:

Then, I added an A record to the domain so that it points to the public IP of the LoadBalancer.

However, the above config doesn’t work and I get no connection.

What am I doing wrong?

Also, this is not about exposing the DB & Ratel, but ultimately about using an ingress controller for adding missing TLS & authentication to secure the DB while ensuring external access.

Also, is there a simpler way to add even basic security to ensure secured remote access to Dgraph?

I don’t mind sharing a working config, but getting there is surprisingly hard.

Any help is most welcome.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.