Expose Sync Daemon on Google Cloud¶
This section will walk you through the steps required to make your Rok sync daemon accessible from other Rok clusters and Registries, using a Google Cloud Load Balancer.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
- A working Rok deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsEdit
rok/rok-sync/overlays/deploy/kustomization.yaml
and enable only theservice-gclb
patch, instead of the defaultservice-elb
:patches: #- patches/service-elb.yaml - patches/service-gclb.yaml # <-- Uncomment this lineEdit
rok/rok-sync/overlays/deploy/patches/service-gclb.yaml
and set theload-balancer-type
annotation based on the type of the load balancer you are going to create:annotations: networking.gke.io/load-balancer-type: "Public"annotations: networking.gke.io/load-balancer-type: "Internal"Air Gapped
Use an Internal Load Balancer.
Edit
rok/rok-sync/overlays/deploy/patches/service-gclb.yaml
and configureloadBalancerSourceRanges
to allow access from the CIDRs of the Rok Registry and the rest of your Rok clusters. Leave the default value of0.0.0.0/0
if you want to allow access for everyone:spec: loadBalancerSourceRanges: - "0.0.0.0/0"See also
Instructions to find the outbound IP addresses of all services (including Rok and Rok Registry) running in a Kubernetes cluster.
Air Gapped
If you don’t have specific firewalling requirements, leave
loadBalancerSourceRanges
to the default value. The load balancer will be an internal one and as such not reachable outside your VPC.Note
If you need to specify multiple CIDRs, format them as a YAML list. For example:
loadBalancerSourceRanges: - "1.2.3.4/32" - "5.6.7.8/32"Commit the changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose sync daemon on Google Cloud"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync/overlays/deploy
Verify¶
Verify that the LoadBalancer Service gets an EXTERNAL-IP:
root@rok-tools:# kubectl get service -n rok rok-sync NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE rok-sync LoadBalancer 10.92.53.244 198.51.100.1 32123:30473/TCP 1mVerify that the load balancer allows connections from the CIDRs of the Rok Registry and the rest of your Rok clusters:
root@rok-tools:# kubectl get service -n rok rok-sync -o json \ > | jq -r '.spec.loadBalancerSourceRanges[]' 0.0.0.0/0Obtain the address of the LoadBalancer Service:
root@rok-tools:# export SYNC_ADDRESS=$(kubectl get service -n rok rok-sync -o json \ > | jq -r '.status.loadBalancer.ingress[].ip')Verify that you can connect to the sync daemon from your
rok-tools
container:root@rok-tools:# timeout 5 curl -m 3 -v telnet://${SYNC_ADDRESS?}:32123/ * Trying 198.51.100.1... * TCP_NODELAY set * Connected to 198.51.100.1 (198.51.100.1) port 32123 (#0)Troubleshooting
Connection timed out.
Make sure that the firewall of the LoadBalancer Service allows connections from the
rok-tools
container. If you don’t want to allow access, you can skip this step.
Summary¶
You have successfully exposed the sync daemon of your Rok cluster to other Rok clusters and Registries, using a Google Cloud Load Balancer.
What’s Next¶
The next step is to configure the sync daemon to announce this load balancer address to other peers.