Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document Ingress controller requirements and alternatives #88

Open
akshay196 opened this issue May 18, 2023 · 3 comments
Open

Document Ingress controller requirements and alternatives #88

akshay196 opened this issue May 18, 2023 · 3 comments
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@akshay196
Copy link
Member

akshay196 commented May 18, 2023
edited
Loading

Currently Paralus by default installs Contour controller and manages routes using HTTPProxy resources.
It would be good to document the followings:

  1. What are the requirements for choosing ingress controllers for Paralus?
  2. List of ingress controllers that works and we have tested.
@akshay196 akshay196 added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label May 18, 2023
@Joibel
Copy link

Joibel commented May 19, 2023

I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.

I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).

Would it be possible to get paralus to use the cert-manager generated certificate for *.user and *.core-connector?

@akshay196
Copy link
Member Author

I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.

True. However in some cases it would be feasible to use without any third-party proxy for example, local testing.

I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).

Setting ssl passthrough annotation to ingress resource and enabling ssl passthrough at ingress-nginx controller should have worked..

I have seen many folks go for ingress-nginx so above configuration works let us know so we could document it.

Would it be possible to get paralus to use the cert-manager generated certificate for *.user and *.core-connector?

Possibly. Need to check though.

@NumenDivinum
Copy link

NumenDivinum commented Mar 28, 2024
edited
Loading

I would say ingress-nginx is way more popular than contour, and most of the users would prefer it.
Installing contour for just one service can not be justified for security teams.

I decided to try Paralus with ingress-nginx and failed.
SSL Passthrough may work, but it requires enabling a flag in the controller, which is a no-go for production environments.
And with cert-manager certificate issued by Let's Encrypt it is not possible to bootstrap a cluster into Paralus - the relay doesn't accept such ceritifcate:
{"level":"info","ts":"2024-03-28T08:47:54.636Z","caller":"tunnel/client.go:416","msg":"Relay Agent.Client.paralus-core-relay-agent::dial failed network: tcp addr: 0289c6d7-4v33-4b26-672e-b02192e7894b.core-connector.paralus.some.domain:443 err: tls: failed to verify certificate: x509: certificate signed by unknown authority "}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Joibel @akshay196 @NumenDivinum