How to add external access with authentication to K8s deployment?

Cluster information:

Kubernetes version: 1.14.8-gke.12
Cloud being used: GKE
Dgraph version: Master (Jan/19/2020)

Goal

Add authentication & TLS to access DGraph & Ratel securely from outside the cluster.

Installation

I have installed Dgraph usings the latest helm chart and that keeps all services internally as ClusterIP. After the setup, I got the following pods:

web goci-dgraph-alpha ClusterIP 10.126.9.214 8080/TCP,9080/TCP
web goci-dgraph-alpha-headless ClusterIP None 7080/TCP
web goci-dgraph-ratel ClusterIP 10.126.10.114 8000/TCP
web goci-dgraph-zero ClusterIP 10.126.2.66 5080/TCP,6080/TCP
web goci-dgraph-zero-headless ClusterIP None 5080/TCP

Verification

I can port-forward locally and acces the DB & Ratel like so:

kubectl port-forward dgraph-alpha-0 8080
kubectl port-forward dgraph-ratel 8000

That stuff works.

Complication

However, external access through a conventional LoadBalancer falls flat because in that case, there is no authentication and encrypted connection. Adding a default ingress that allows easy auth, simple routing & TLS, however, also falls flat because it isn’t support in the DGraph Helm chart. I already opened an issue:

https://github.com/dgraph-io/dgraph/issues/4616

Adding a reverse http proxy, however, while feasible feels a little bit overkill here.

Current try:

For now, the best I can do is to an ingress controller manually to access the alpha & ratel node from the outside world and that that is where the real headache starts.

First, I made a TLS secret like so:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj “/CN=nginxsvc/O=nginxsvc”

$ kubectl create secret tls tls-secret --key tls.key --cert tls.crt

Next, I wrote an ingress.yaml like so:

https://github.com/marvin-hansen/ngnix-k8s/blob/master/Ingress.yaml

And I added a service.yaml like so:
https://github.com/marvin-hansen/ngnix-k8s/blob/master/service.yaml

Then, I added an A record to the domain so that it points to the public IP of the LoadBalancer.

However, the above config doesn’t work and I get no connection.

What am I doing wrong?

Also, this is not about exposing the DB & Ratel, but ultimately about using an ingress controller for adding missing TLS & authentication to secure the DB while ensuring external access.

Also, is there a simpler way to add even basic security to ensure secured remote access to Dgraph?

I don’t mind sharing a working config, but getting there is surprisingly hard.

Any help is most welcome.

TIA

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.