[EnMasse] External Kubernetes services

Lohmann Carsten (INST/ECS4) Carsten.Lohmann at bosch-si.com
Fri Dec 15 13:38:20 UTC 2017 

Hi Ulf,

> In 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"'
> what does certName point to? A secret or some other resource?
That is an Amazon Resource Name ("arn:aws:..").

Best regards
 Carsten Lohmann


> -----Ursprüngliche Nachricht-----
> Von: Ulf Lilleengen [mailto:lulf at redhat.com]
> Gesendet: Freitag, 15. Dezember 2017 13:35
> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> enmasse at redhat.com
> Betreff: Re: AW: [EnMasse] External Kubernetes services
> 
> Hi Carsten,
> 
> The endpoints only indicate what is being exposed, and does not change what is
> deployed. I will fix so that you can do that which should give you the freedom to
> roll your own.
> 
> Regarding the aws service definition below, I will write up a proposal for improving
> this.
> 
> In 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"'
> what does certName point to? A secret or some other resource?
> 
> Best regards,
> 
> Ulf
> 
> On 15. des. 2017 13:19, Lohmann Carsten (INST/ECS4) wrote:
> > Hi Ulf,
> >
> > here is an example with the added modifications of our "messaging-external"
> service:
> > ---------------------
> > - apiVersion: v1
> >    kind: Service
> >    metadata:
> >      labels:
> >        app: enmasse
> >      annotations:
> >        dns.alpha.kubernetes.io/external: our-messaging-domain-name.
> >        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"
> >        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "5671"
> >      name: messaging-external
> >    spec:
> >      ports:
> >      - name: amqps
> >        port: 5671
> >        protocol: TCP
> >        # TLS gets terminated at the LoadBalancer, target port here 5672
> >        targetPort: 5672
> >      selector:
> >        capability: router
> >      type: LoadBalancer
> >      loadBalancerSourceRanges: ..ip list..
> > ---------------------
> > So it's about added annotations, different target port, added
> "loadBalancerSourceRanges".
> >
> > Regarding using an empty endpoint list of the address space:
> > If the endpoints only correspond to K8s services, that's OK. I was only
> wondering if an omitted endpoint also leads to other corresponding resources
> (e.g. pods) not being created.
> > See https://github.com/EnMasseProject/enmasse/issues/544.
> >
> >
> > Best regards
> >
> >   Carsten Lohmann
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Ulf Lilleengen [mailto:lulf at redhat.com]
> >> Gesendet: Donnerstag, 14. Dezember 2017 17:41
> >> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> >> enmasse at redhat.com
> >> Betreff: Re: [EnMasse] External Kubernetes services
> >>
> >> Hi Carsten,
> >>
> >> The intention is that you can override this when creating the address
> >> space by specifying an empty endpoint list like this:
> >>
> >> {
> >>     "kind": "AddressSpace",
> >>     "spec": {
> >>        "endpoints": []
> >>     }
> >> }
> >>
> >> Unfortunately, it appears that this does not work as intended. I have
> >> created an issue to address this[1], but I'd like to know if that is
> >> sufficient for your use case before starting on a fix.
> >>
> >> Any details you can share on what properties are required for you to
> >> be able to configure your loadbalancer using the address space
> >> resource rather than having to create them explicitly would be
> >> valuable. If you have an example LoadBalancer service definition, I
> >> can try to propose a way to configure endpoints in sufficient detail that will give
> you the LoadBalancer service you wish.
> >>
> >> [1] https://github.com/EnMasseProject/enmasse/issues/648
> >>
> >> Best regards,
> >>
> >> Ulf
> >>
> >> On 14. des. 2017 16:57, Lohmann Carsten (INST/ECS4) wrote:
> >>> Hi,
> >>>
> >>> in EnMasse 0.15.0 there has been this change:
> >>>
> >>> "Replace use of Ingress with K8S LoadBalancer Service"
> >>>
> >>> https://github.com/EnMasseProject/enmasse/commit/f2680732530e37ff5fa
> >>> 85
> >>> c02ff58617a002e2640
> >>>
> >>> Having the K8S LoadBalancer Services be created automatically by the
> >>> Address Controller proves to be rather inflexible in our use case.
> >>>
> >>> Before EnMasse 0.15.0, we have used an adapted "external-lb.yaml"
> >>> file with added annotations
> >>>
> >>> - concerning definition of DNS records for the created LoadBalancer,
> >>> definition of LoadBalancer SSL certificate/port, etc.
> >>>
> >>> Now to have these annotations, we must either adapt or
> >>> delete/re-create the Services.
> >>>
> >>> And since in the AWS setup there is the creation of dependent AWS
> >>> LoadBalancer entries, there is quite some overhead involved in this.
> >>>
> >>> Would it be feasible to add a flag to skip automatic Service creation?
> >>> Or changing the code-wise creation to one based on a yaml file that
> >>> can be adapted?
> >>>
> >>> Best regards
> >>>
> >>> *Carsten Lohmann
> >>> *
> >>> (INST/ECS4)
> >>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> >>> GERMANY| www.bosch-si.com <http://www.bosch-si.com>
> >>>
> >>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB
> >>> 148411 B
> >>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> >>> Dr.-Ing. Rainer Kallenbach, Michael Hahn
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> enmasse mailing list
> >>> enmasse at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/enmasse
> >>>

More information about the enmasse mailing list