Expose Sync Daemon on AWS

This section will walk you through the steps required to make your Rok sync daemon accessible from other Rok clusters and Registries, using an Amazon Classic Load Balancer.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
    
  2. Edit rok/rok-sync/overlays/deploy/kustomization.yaml and uncomment the service-elb patch to enable it:

    patches:
    - patches/service-elb.yaml
    
  3. Edit rok/rok-sync/overlays/deploy/patches/service-elb.yaml and set the aws-load-balancer-internal annotation based on the type of Load Balancer you are going to create:

    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: "false"
    
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    
  4. Edit rok/rok-sync/overlays/deploy/patches/service-elb.yaml and configure loadBalancerSourceRanges to allow access from the CIDRs of the Rok Registry and the rest of your Rok clusters. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone:

    spec:
      loadBalancerSourceRanges:
      - "0.0.0.0/0"
    

    Note

    If you need to specify multiple CIDRs, format them as a YAML list. For example:

    loadBalancerSourceRanges:
    - "1.2.3.4/32"
    - "5.6.7.8/32"
    
  5. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose sync daemon on AWS"
    
  6. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-sync/overlays/deploy
    

Verify

  1. Verify that the Load Balancer Service gets an EXTERNAL-IP:

    root@rok-tools:# kubectl get service -n rok rok-sync
    NAME       TYPE          CLUSTER-IP   EXTERNAL-IP                                                             PORT(S)           AGE
    rok-sync   LoadBalancer  10.32.1.249  a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com  32123:31282/TCP   1m
    
    Troubleshooting
    The Service object does not get an EXTERNAL-IP.
    1. Describe the service:

      root@rok-tools:# kubectl describe service -n rok rok-sync
      
    2. If you see an event like the following:

      Events:
        Type     Reason                  Age   From                Message
        ----     ------                  ----  ----                -------
        Warning  SyncLoadBalancerFailed  4s    service-controller  Error syncing load balancer: failed to ensure load balancer: TooManyLoadBalancers: Exceeded quota of account 123456789
                 status code: 400, request id: 1234abcd-12ab-34cd-56ef-123456abcdef
      

      it means that you have reached a quota limit in the Classic Load Balancers you can create in your account and you need to increase it.

  2. Verify that the Load Balancer allows connections only from the CIDRs of the Rok Registry and the rest of your Rok clusters:

    root@rok-tools:# kubectl get service -n rok rok-sync -o json | \
    >     jq -r '.spec.loadBalancerSourceRanges[]'
    0.0.0.0/0
    
  3. Obtain the address of the Load Balancer Service:

    root@rok-tools:# export SYNC_ADDRESS=$(kubectl get service -n rok rok-sync -o json | \
    >     jq -r '.status.loadBalancer.ingress[].hostname')
    
  4. Check that you can connect to the sync daemon from your rok-tools container:

    root@rok-tools:# timeout 5 curl -m 3 -v telnet://${SYNC_ADDRESS?}:32123/
    *   Trying 192.168.86.198...
    * TCP_NODELAY set
    * Connected to a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com (192.168.86.198) port 32123 (#0)
    
    Troubleshooting
    Could not resolve host.

    You typically need to wait for a few minutes after the creation of the Load Balancer service, before you can resolve its address.

    Connection timed out.

    Make sure that the firewall of the Load Balancer service allows connections from the rok-tools container. If you don’t want to allow access, you can skip this step.

Summary

You have successfully exposed the sync daemon of your Rok cluster to other Rok clusters and Registries, using an Amazon Classic Load Balancer.

What’s Next

The next step is to configure the sync daemon to announce this Load Balancer address to other peers.