Skip to content
This repository has been archived by the owner on Oct 11, 2024. It is now read-only.

Use K8 ingress for TLS termination #1443

Merged
merged 13 commits into from
Feb 8, 2020
Merged

Use K8 ingress for TLS termination #1443

merged 13 commits into from
Feb 8, 2020

Conversation

gdbelvin
Copy link
Contributor

@gdbelvin gdbelvin commented Jan 28, 2020
edited
Loading

Use K8 ingress for TLS termination

Kubernetes ingress objects support

  • Managed TLS Certificates
  • Central monitoring and metrics
  • Static IP address, which allows DNS setup for sandbox.keytransparency.dev.

The backend protocol from the ingress reverse proxy to the binaries use HTTP/2 + TLS

This PR uses kustomize to configure k8 configs for both GCE and baremetal deployments. The baremetal deployment is used for local testing and the kubernetes test in travis. Baremetal deployments must locally supply an ingress implementation, this PR uses nginx. The GCE deployment uses the cloud provided GCE ingress implementation.

I chose 'kustomizeoverhelm` because kustomize has better support for multiple deployment environments. We can revisit this decision later if needed.

The directory structure:

deploy
├── kubernetes
│   ├── base
│   └── overlays
│       ├── gke // Google Cloud
│       └── local // Baremetal for local and travis tests
│           └── ingress-nginx
│               ├── baremetal // nginx configs required for non-cloud deployments
│               ├── cloud-generic // Basic nginx config required for most deployments
│               └── static  // Basic nginx config required for all nginx deployments

To verify that this PR worked:

$ ./scripts/deploy.sh
$ curl https://sandbox.keytransparency.dev -w '%{http_version}\n'
ok
2 

$ go install github.com/fullstorydev/grpcurl/cmd/grpcurl
$ grpcurl sandbox.keytransparency.dev:443 list
google.keytransparency.v1.KeyTransparency
grpc.reflection.v1alpha.ServerReflection

Fixes #1396

@codecov
Copy link

codecov bot commented Jan 28, 2020
edited
Loading

Codecov Report

Merging #1443 into master will increase coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1443      +/-   ##
==========================================
+ Coverage   66.39%   66.41%   +0.02%     
==========================================
  Files          54       54              
  Lines        4026     4026              
==========================================
+ Hits         2673     2674       +1     
  Misses        960      960              
+ Partials      393      392       -1
Impacted Files Coverage Δ
core/sequencer/server.go 73.61% <0%> (-0.33%) ⬇️
core/sequencer/trillian_client.go 61.42% <0%> (+2.85%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 112863f...bd3af4e. Read the comment docs.

@gdbelvin gdbelvin force-pushed the lb2 branch 7 times, most recently from 9eb8c83 to ffeb5e8 Compare January 28, 2020 20:34
@gdbelvin
Ingress config
19ebaf0 
The simplest setup ingress is to only proxy HTTP2 traffic.
Multiplexing gRPC and HTTP is possible, but it requires two ingress
objects and explicit path / gRPC service specific forwarding rules.

Notes:
- Supply a default backend to prevent the ingress controller from
  creating it's own
- Supply path routes. Without path routing NGINX won't use our TLS certs
  and will supply it's own "default" TLS cert.
@gdbelvin gdbelvin force-pushed the lb2 branch 3 times, most recently from 6c9502f to bdedd90 Compare January 28, 2020 20:55
@gdbelvin
GCE specific ingress config
22a4881 
- Link to a static IP resource.
- Disable HTTP to slightly simplify the firewall rules.
- Set the backend protocol to HTTP2.
  - Requiries an HTTP2 healthcheck at '/'.
  - Requires TLS (HTTP2 + TLS is incompatible with cmux).
  - Supports GRPC.

Refs
- https://cloud.google.com/load-balancing/docs/https/
@gdbelvin
Supply explicit NodePorts
8f836df 
This makes debugging slightly easier since NodePorts will be stable
@gdbelvin
ingress-nginx/baremetal
456e58d
@gdbelvin
ingress-nginx mandatory
08a7f3e
@gdbelvin
Give baremetal ingress a nodeport
4b33cc7 
This makes the ingress object routable by Kubernetes in Docker (KIND)

The current kind config routes localhost traffic on 443 to specific node ports (80443)
@gdbelvin
Use kustomize build
d009858 
Using kustomize is required because `kubectl -k` doesn't support
directories to as resources in kustomize file.
@gdbelvin
Set backend protocol for nginx
33c4833
@gdbelvin gdbelvin marked this pull request as ready for review February 4, 2020 09:36
@gdbelvin gdbelvin requested a review from a team as a code owner February 4, 2020 09:36
@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 4, 2020

After researching Helm, I've decided to stick with Kustomize for the following reasons

  1. Helm supports environment specific customization through Go Templating. This makes small changes possible, but larger changes quickly become convoluted.
  2. I couldn't see a way to optionally depend on subcharts in an environment specific manner.
  • To support local testing, we need bare metal features that cloud service providers typically provide.
  1. The more complex uses cases for setting up let's encrypt certs can be managed by relying on GCE. This reduces the effectiveness of local testing, but the local testing story probably deserves a re-think.

NatalieDoduc
NatalieDoduc reviewed Feb 5, 2020
View reviewed changes
Copy link

@NatalieDoduc NatalieDoduc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For your main PR description, can you make the first line more descriptive? These guidelines are really useful: https://chris.beams.io/posts/git-commit/

Could you also add in the PR description more details about the additional files and structure under ingress-nginx?

Also, i'd recommend if you would explain the use of Kustomize (+investigation into Helm results in the PR description itself, rather than inline in the comments).

Finally if this adds a mechanism to route from outside to our cluster, can you add sample commands or reference to how one might validate that the setup works?

@gdbelvin
Merge branch 'master' into lb2
ad0aae0 
* master:
  Portable docker images cleanup script (google#1445)
@gdbelvin
Sort kustomization files
2315cf5 
Also deletes unreferenced yaml configs.
@gdbelvin
ingress-nginx README
e2da0aa
@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 5, 2020

Thanks for your suggestions @NatalieDoduc

Please see

  • Updated README.md
    • Dir structure
    • Testing instructions
  • A README.md for the ingress-nginx directory

@NatalieDoduc NatalieDoduc removed their assignment Feb 6, 2020
NatalieDoduc
NatalieDoduc approved these changes Feb 6, 2020
View reviewed changes
Copy link

@NatalieDoduc NatalieDoduc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - can you just update the PR title to match your first line of the description.

Also, a few questions below, but only for clarification, no changes required. Thanks!

@gdbelvin gdbelvin changed the title GCE Ingress Use K8 ingress for TLS termination Feb 6, 2020
@gdbelvin gdbelvin merged commit 57ba06e into google:master Feb 8, 2020
@gdbelvin gdbelvin deleted the lb2 branch February 8, 2020 12:22
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@NatalieDoduc NatalieDoduc NatalieDoduc approved these changes

@AlCutter AlCutter Awaiting requested review from AlCutter

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use Let's Encrypt to get a real tls keypair
3 participants
@gdbelvin @NatalieDoduc @googlebot