infra icon indicating copy to clipboard operation
infra copied to clipboard

Published 20 hours ago verified publisher icon infrahq

Connector does not support NodePort service type

Open yeshwanth1312 opened this issue 3 years ago • 9 comments

Describe the bug

The connector container is unable to start and connect to the server when using service type as Nodeport or ClusterIp

Expected behavior

Screenshots

{"level":"error","ts":1652877520.706193,"caller":"connector/connector.go:462","msg":"failed to lookup endpoint: load balancer has no ingress objects"} {"level":"error","ts":1652877525.711017,"caller":"connector/connector.go:462","msg":"failed to lookup endpoint: load balancer has no ingress objects"} {"level":"error","ts":1652877530.715043,"caller":"connector/connector.go:462","msg":"failed to lookup endpoint: load balancer has no ingress objects"}

Environment

Kubernetes, Running on-prem

$ infra version
infra version

 Client: 0.13.0
 Server: 0.13.0

$ kubectl version

Relevant Infra Logs

Additional context

both server and connector deployed in same namespace and cluster

helm upgrade --install infra-connector ./
--set connector.config.name=k2
--set connector.config.server=localhost
--set connector.config.accessKey=********
--set connector.config.skipTLSVerify=true
--set connector.service.type=NodePort -n infra

yeshwanth1312 avatar May 18 '22 12:05 yeshwanth1312

Hi @yeshwanth1312,

Thanks for capturing this issue. It looks like NodePort won't work for the Infra connector at the moment. The Infra connector can't detect the host/port to report to the server in this configuration. We will re-visit this.

A connector should be able to register with a cluster IP. One thing I notice in the logs provided is that the connector is attempting to look-up the load balancer ingress. It should not be doing this when connector.service.type=ClusterIP is specified. Is it possible that the connector.service.type=ClusterIP flag was not parsed correctly from the command in this case? I'm curious if running the command on one line to make sure all the flags are parsed fixes the ClusterIP case:

helm upgrade --install infra-connector ./ --set connector.config.name=k2 --set connector.config.server=localhost --set connector.config.accessKey=******** --set connector.config.skipTLSVerify=true --set connector.service.type=ClusterIP -n infra

BruceMacD avatar May 18 '22 20:05 BruceMacD

@BruceMacD Thanks for that , Will try and let you know . Also how do we access UI ? accessing UI on server IP on port is coming as blank page

yeshwanth1312 avatar May 19 '22 15:05 yeshwanth1312

The UI is still under active development so it isn't enabled by default yet, it will be enabled automatically in an upcoming release (exact date TBD). You can enable the experimental UI by starting the Infra server with the --set server.config.ui.enabled=true flag.

Ex: helm install infra infrahq/infra --set server.config.ui.enabled=true

The UI should then be available at the root of the Infra server host (ex: if the Infra server is running on localhost, it will be available at http://localhost).

BruceMacD avatar May 19 '22 18:05 BruceMacD

Okay cool, Running command in one line worked . Working great so far. @BruceMacD

Also, how would we add users to one group in values.yml file , Don't see an example

I don't see a place to assign user to a group

Expected

    - user: admin
      role: view
      group: Everyone                      
      resource: example-cluster.web

Example shown

    - user: admin
      role: edit                            # cluster_roles required
      resource: example-cluster.web         # limit access to only the `web` namespace in the `example-cluster` Kubernetes cluster

  # Example of granting access to a group the `view` role.
    - group: Everyone
      role: view                           # cluster_roles required
      resource: example-cluster

yeshwanth1312 avatar May 19 '22 20:05 yeshwanth1312

We don't have a way to assign users to groups in configuration (yet). The groups you see in that configuration example are being synchronized from an identity provider such as Okta.

Ex:

  1. Define the name of a group in config that you know to exist in an identity provider.
  2. When a user signs in with an identity provider (Okta) we also see the groups they are in.
  3. The user is given the access that the groups they are in grants them.

BruceMacD avatar May 19 '22 21:05 BruceMacD

Okay . Thanks, @BruceMacD for the clarification

Defining users and groups will be helpful, So we can work on group permissions vs each user

Also, do you have an ETA on the azure active directory as an Identity Provider ?

yeshwanth1312 avatar May 19 '22 21:05 yeshwanth1312

We haven't tested Azure AD as an IdP yet, but it is coming soon also.

BruceMacD avatar May 24 '22 13:05 BruceMacD

This issue has not seen any activity in a while. Add a comment if this issue is still relevant, otherwise it will be closed in 7 days.

github-actions[bot] avatar Jul 30 '22 02:07 github-actions[bot]

I think this issue is still relevant

dnephin avatar Aug 02 '22 14:08 dnephin

@yeshwanth1312 NodePort has been added as of https://github.com/infrahq/infra/pull/3209. You can enable it by setting connector.service.type=NodePort in Helm. By default, the connector node port is 30443. You can change it with connector.service.secureNodePort=<port>. Keep in mind Kubernetes requires node ports to be within the 30000-32767 range by default.

mxyng avatar Sep 20 '22 00:09 mxyng