cockroach-operator icon indicating copy to clipboard operation
cockroach-operator copied to clipboard

Published 20 hours ago verified publisher icon cockroachdb

How to define ingress / ingressRoute to UI Console?

Open ahgraber opened this issue 3 years ago • 5 comments

I am using the gitops tool flux to manage my kubernetes cluster. I have installed the cockroach operator and deployed a cluster based on the example manifest.

I am trying to create an ingress (specifically, a traefik ingressRoute) to the UI console, but the addition of the ability to declare an ingress seems undocumented.

How can I create an ingress to the console UI?

ahgraber avatar May 06 '22 18:05 ahgraber

Its not cockroach specific, just read the docs of your ingress controller and add ingress rule that points to cockroachdb-public svc. Don`t forget to secure it :-)

Lamercho avatar May 06 '22 19:05 Lamercho

I have tried with this ingressRoute, which does not work. Am I missing something?

I can access the Console UI if I port forward, but that's a hacky/temporary solution.

ahgraber avatar May 06 '22 19:05 ahgraber

If I build my cluster in insecure mode, with tlsEnabled: false, the ingressRoute works fine and I can access the console. It seems like the ssl cert for the Ingress is conflicting with the cert for the cluster

ahgraber avatar May 06 '22 23:05 ahgraber

Alternatively, I can use the cluster's TLS certification with an ingressRouteTCP, although this faces the "this is insecure" warning from the browser

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: route-cockroachdb
  namespace: networking
  # namespace: cockroach-operator-system
spec:
  entryPoints:
    - websecure
  routes:
    - match: HostSNI(`roachdb.${SECRET_DOMAIN}`)
      services:
        - name: cockroachdb-public
          namespace: cockroach-operator-system
          port: 8080
  tls:
    passthrough: true  # let the endpoint handle tls termination

ahgraber avatar May 07 '22 00:05 ahgraber

@ahgraber I don't know if you're still looking for an answer, but this is what I have deployed that works for me:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: crdb-core
spec:
  entryPoints:
    - websecure
    - web
  routes:
    - kind: Rule
      match: Host(`<host>`)
      services:
      - kind: Service
        name: crdb-core-public
        passHostHeader: false
        port: 8080
        serversTransport: cockroachdb
        scheme: https
      middlewares:
        - name: traefik-v2-allowlist@kubernetescrd
  tls: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: cockroachdb
spec:
  insecureSkipVerify: true

I included the web entrypoint because it is configured to handle http->https redirects for me.

joerocklin avatar Nov 07 '22 16:11 joerocklin