[EnMasse] External Kubernetes services

Lohmann Carsten (INST/ECS4) Carsten.Lohmann at bosch-si.com
Tue Dec 19 11:44:11 UTC 2017 

thanks!

Best regards
Carsten Lohmann

> -----Ursprüngliche Nachricht-----
> Von: Ulf Lilleengen [mailto:lulf at redhat.com]
> Gesendet: Montag, 18. Dezember 2017 16:29
> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> enmasse at redhat.com
> Betreff: Re: AW: AW: [EnMasse] External Kubernetes services
> 
> Hi Carsten,
> 
> A fix has been merged to master
> (https://github.com/EnMasseProject/enmasse/pull/658) and will be part of 0.16.0.
> 
> I've filed an issue for making endpoints support more configuration options
> (https://github.com/EnMasseProject/enmasse/issues/661).
> 
> Best regards,
> 
> Ulf
> 
> On 15. des. 2017 14:38, Lohmann Carsten (INST/ECS4) wrote:
> > Hi Ulf,
> >
> >> In 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"'
> >> what does certName point to? A secret or some other resource?
> > That is an Amazon Resource Name ("arn:aws:..").
> >
> > Best regards
> >   Carsten Lohmann
> >
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: Ulf Lilleengen [mailto:lulf at redhat.com]
> >> Gesendet: Freitag, 15. Dezember 2017 13:35
> >> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> >> enmasse at redhat.com
> >> Betreff: Re: AW: [EnMasse] External Kubernetes services
> >>
> >> Hi Carsten,
> >>
> >> The endpoints only indicate what is being exposed, and does not
> >> change what is deployed. I will fix so that you can do that which
> >> should give you the freedom to roll your own.
> >>
> >> Regarding the aws service definition below, I will write up a
> >> proposal for improving this.
> >>
> >> In 'service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"'
> >> what does certName point to? A secret or some other resource?
> >>
> >> Best regards,
> >>
> >> Ulf
> >>
> >> On 15. des. 2017 13:19, Lohmann Carsten (INST/ECS4) wrote:
> >>> Hi Ulf,
> >>>
> >>> here is an example with the added modifications of our "messaging-external"
> >> service:
> >>> ---------------------
> >>> - apiVersion: v1
> >>>     kind: Service
> >>>     metadata:
> >>>       labels:
> >>>         app: enmasse
> >>>       annotations:
> >>>         dns.alpha.kubernetes.io/external: our-messaging-domain-name.
> >>>         service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certName"
> >>>         service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "5671"
> >>>       name: messaging-external
> >>>     spec:
> >>>       ports:
> >>>       - name: amqps
> >>>         port: 5671
> >>>         protocol: TCP
> >>>         # TLS gets terminated at the LoadBalancer, target port here 5672
> >>>         targetPort: 5672
> >>>       selector:
> >>>         capability: router
> >>>       type: LoadBalancer
> >>>       loadBalancerSourceRanges: ..ip list..
> >>> ---------------------
> >>> So it's about added annotations, different target port, added
> >> "loadBalancerSourceRanges".
> >>>
> >>> Regarding using an empty endpoint list of the address space:
> >>> If the endpoints only correspond to K8s services, that's OK. I was
> >>> only
> >> wondering if an omitted endpoint also leads to other corresponding
> >> resources (e.g. pods) not being created.
> >>> See https://github.com/EnMasseProject/enmasse/issues/544.
> >>>
> >>>
> >>> Best regards
> >>>
> >>>    Carsten Lohmann
> >>>
> >>>> -----Ursprüngliche Nachricht-----
> >>>> Von: Ulf Lilleengen [mailto:lulf at redhat.com]
> >>>> Gesendet: Donnerstag, 14. Dezember 2017 17:41
> >>>> An: Lohmann Carsten (INST/ECS4) <Carsten.Lohmann at bosch-si.com>;
> >>>> enmasse at redhat.com
> >>>> Betreff: Re: [EnMasse] External Kubernetes services
> >>>>
> >>>> Hi Carsten,
> >>>>
> >>>> The intention is that you can override this when creating the
> >>>> address space by specifying an empty endpoint list like this:
> >>>>
> >>>> {
> >>>>      "kind": "AddressSpace",
> >>>>      "spec": {
> >>>>         "endpoints": []
> >>>>      }
> >>>> }
> >>>>
> >>>> Unfortunately, it appears that this does not work as intended. I
> >>>> have created an issue to address this[1], but I'd like to know if
> >>>> that is sufficient for your use case before starting on a fix.
> >>>>
> >>>> Any details you can share on what properties are required for you
> >>>> to be able to configure your loadbalancer using the address space
> >>>> resource rather than having to create them explicitly would be
> >>>> valuable. If you have an example LoadBalancer service definition, I
> >>>> can try to propose a way to configure endpoints in sufficient
> >>>> detail that will give
> >> you the LoadBalancer service you wish.
> >>>>
> >>>> [1] https://github.com/EnMasseProject/enmasse/issues/648
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Ulf
> >>>>
> >>>> On 14. des. 2017 16:57, Lohmann Carsten (INST/ECS4) wrote:
> >>>>> Hi,
> >>>>>
> >>>>> in EnMasse 0.15.0 there has been this change:
> >>>>>
> >>>>> "Replace use of Ingress with K8S LoadBalancer Service"
> >>>>>
> >>>>> https://github.com/EnMasseProject/enmasse/commit/f2680732530e37ff5
> >>>>> fa
> >>>>> 85
> >>>>> c02ff58617a002e2640
> >>>>>
> >>>>> Having the K8S LoadBalancer Services be created automatically by
> >>>>> the Address Controller proves to be rather inflexible in our use case.
> >>>>>
> >>>>> Before EnMasse 0.15.0, we have used an adapted "external-lb.yaml"
> >>>>> file with added annotations
> >>>>>
> >>>>> - concerning definition of DNS records for the created
> >>>>> LoadBalancer, definition of LoadBalancer SSL certificate/port, etc.
> >>>>>
> >>>>> Now to have these annotations, we must either adapt or
> >>>>> delete/re-create the Services.
> >>>>>
> >>>>> And since in the AWS setup there is the creation of dependent AWS
> >>>>> LoadBalancer entries, there is quite some overhead involved in this.
> >>>>>
> >>>>> Would it be feasible to add a flag to skip automatic Service creation?
> >>>>> Or changing the code-wise creation to one based on a yaml file
> >>>>> that can be adapted?
> >>>>>
> >>>>> Best regards
> >>>>>
> >>>>> *Carsten Lohmann
> >>>>> *
> >>>>> (INST/ECS4)
> >>>>> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin
> >>>>> |
> >>>>> GERMANY| www.bosch-si.com <http://www.bosch-si.com>
> >>>>>
> >>>>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB
> >>>>> 148411 B
> >>>>> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> >>>>> Dr.-Ing. Rainer Kallenbach, Michael Hahn
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> enmasse mailing list
> >>>>> enmasse at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/enmasse
> >>>>>

More information about the enmasse mailing list