Expose Sync Daemon on Google Cloud

This section will walk you through the steps required to make your Rok sync daemon accessible from other Rok clusters and Registries, using a Google Cloud Load Balancer.

What You’ll Need

• A configured management environment.
• Your clone of the Arrikto GitOps repository.
• An existing GKE cluster.
• A working Rok deployment.

Procedure

1. Go to your GitOps repository, inside your rok-tools management environment:

   

   root@rok-tools:~# cd ~/ops/deployments

2. Edit rok/rok-sync/overlays/deploy/kustomization.yaml and enable only the service-gclb patch, instead of the default service-elb:

   

   patches: #- patches/service-elb.yaml - patches/service-gclb.yaml # <-- Uncomment this line

3. Edit rok/rok-sync/overlays/deploy/patches/service-gclb.yaml and set the load-balancer-type annotation based on the type of the load balancer you are going to create:

   External Load Balancer

   Internal Load Balancer

   

   annotations: networking.gke.io/load-balancer-type: "Public"

   

   annotations: networking.gke.io/load-balancer-type: "Internal"

   Air Gapped

   Use an Internal Load Balancer.

4. Edit rok/rok-sync/overlays/deploy/patches/service-gclb.yaml and configure loadBalancerSourceRanges to allow access from the CIDRs of the Rok Registry and the rest of your Rok clusters. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone:

   

   spec: loadBalancerSourceRanges: - "0.0.0.0/0"

   See also

   Instructions to find the outbound IP addresses of all services (including Rok and Rok Registry) running in a Kubernetes cluster.

   • Identify Outbound IP Addresses

   Air Gapped

   If you don’t have specific firewalling requirements, leave loadBalancerSourceRanges to the default value. The load balancer will be an internal one and as such not reachable outside your VPC.

   Note

   If you need to specify multiple CIDRs, format them as a YAML list. For example:

   

   loadBalancerSourceRanges: - "1.2.3.4/32" - "5.6.7.8/32"

5. Commit the changes:

   

   root@rok-tools:~/ops/deployments# git commit -am "Expose sync daemon on Google Cloud"

6. Apply the kustomization:

   

   root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync/overlays/deploy

Verify

1. Verify that the LoadBalancer Service gets an EXTERNAL-IP:

   

   root@rok-tools:# kubectl get service -n rok rok-sync NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE rok-sync LoadBalancer 10.92.53.244 198.51.100.1 32123:30473/TCP 1m

2. Verify that the load balancer allows connections from the CIDRs of the Rok Registry and the rest of your Rok clusters:

   

   root@rok-tools:# kubectl get service -n rok rok-sync -o json \ > | jq -r '.spec.loadBalancerSourceRanges[]' 0.0.0.0/0

3. Obtain the address of the LoadBalancer Service:

   

   root@rok-tools:# export SYNC_ADDRESS=$(kubectl get service -n rok rok-sync -o json \ > | jq -r '.status.loadBalancer.ingress[].ip')

4. Verify that you can connect to the sync daemon from your rok-tools container:

   

   root@rok-tools:# timeout 5 curl -m 3 -v telnet://${SYNC_ADDRESS?}:32123/ * Trying 198.51.100.1... * TCP_NODELAY set * Connected to 198.51.100.1 (198.51.100.1) port 32123 (#0)

   Troubleshooting

   Connection timed out.

   Make sure that the firewall of the LoadBalancer Service allows connections from the rok-tools container. If you don’t want to allow access, you can skip this step.

Summary

You have successfully exposed the sync daemon of your Rok cluster to other Rok clusters and Registries, using a Google Cloud Load Balancer.

What’s Next

The next step is to configure the sync daemon to announce this load balancer address to other peers.

• Announce Sync Daemon Address

PreviousNext