diff --git a/docs/ingress/README.md b/docs/ingress/README.md index e26d48fe..53249633 100644 --- a/docs/ingress/README.md +++ b/docs/ingress/README.md @@ -101,29 +101,6 @@ Ingress Controllers we are looking to leverage require support for TCP load bala * _Only some_ implementations support mTLS * _Only some_ implementations support SNI with TCP workloads -### Kong - -[Kong](https://konghq.com/kong/) is open source API gateway. Built for multi-cloud and hybrid, optimized for microservices and distributed architectures. Kong does not have to be deployed on Kubernetes supporting a multitude of environments. For our use case we will install Kong as an ingress for a Kubernetes cluster. - -#### Sample Implementations - -* [Simple Ingress](kong/ingress) -* [SNI Ingress](kong/sni-ingress) -* [mTLS with SNI Ingress](kong/mtls-sni-ingress) - -### Traefik - -[Traefik](https://containo.us/traefik/) is an open-source Edge Router that is designed to work in a number of environments, not just Kubernetes. When running on Kubernetes, Traefik is generally installed as an Ingress Controller. Traefik supports TCP load balancing along with SSL termination and SNI. It is automatically included as the default Ingress Controller of [K3s](https://k3s.io/) and [K3d](https://k3d.io/). - -#### Sample Implementations - -* [Simple load balancing](traefik/load-balancing) -* [mTLS with load balancing](traefik/mtls-load-balancing) -* [mTLS with SNI](traefik/mtls-sni) - -## Service Meshes - - ## Java Driver Configuration Each of the three reference implementations has a corresponding configuration in the [sample application](sample-java-application) with associated configuration files and sample code. diff --git a/docs/ingress/kong/ingress/README.md b/docs/ingress/kong/ingress/README.md deleted file mode 100644 index 6444ba99..00000000 --- a/docs/ingress/kong/ingress/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Kong Simple Load Balancing - -When leveraging a single endpoint ingress / load balancer we lose the ability to provide token aware routing without the use of SNI (see the [mTLS with SNI guide](../mtls-sni)). **WARNING** This approach does not interact with the traffic at all. All traffic is sent over cleartext without any form of authentication of the server or client.. Note that **_each_** Cassandra cluster running behind the ingress will require it's own endpoint / port. Without a way to detect the pod we want to connect with it's the only way to differentiate requests. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d create cluster --k3s-server-arg --no-deploy --k3s-server-arg traefik - export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')" - kubectl cluster-info - ``` - -1. Install `cass-operator` via Helm - - ```bash - helm repo add datastax https://datastax.github.io/charts - helm repo update - helm install cass-operator datastax/cass-operator - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f docs/ingress/sample-cluster-sample-dc.yaml - ``` - -1. Install Kong with Helm - - ```bash - helm repo add kong https://charts.konghq.com - helm repo update - helm install kong kong/kong --set ingressController.installCRDs=false - ``` - -1. Patch the Kong deployment to listen on the ingress port (9042 in our example) - - ```bash - kubectl patch deployment kong-kong --patch ' - spec: - template: - spec: - containers: - - name: proxy - env: - - name: KONG_STREAM_LISTEN - # Note the port must match the `port` value in the patched service - value: 0.0.0.0:9042 - ports: - - name: cassandra - # Note this must match the `port` value in the patched service - containerPort: 9042 - protocol: TCP' - ``` - -1. Update the Kong service to include the port we want to forward from. - - ```bash - kubectl patch svc kong-kong-proxy --patch ' - spec: - ports: - # Note the `port` field can be any value. When running multiple clusters they must be different. `targetPort` *must* match the port C* is listening on, default: 9042 - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042' - ``` - -1. Create a `TCPIngress`. This provides the mapping between Kong ingress and the internal Cassandra service. - - ```bash - kubectl apply -f docs/ingress/kong/ingress/sample-cluster-sample-dc.tcpingress.yaml - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment - - ```bash - mvn exec:exec@ingress - Discovered Nodes - sample-dc:sample-rack:270acac9-e7d3-422c-b63f-fc210ce53250 - sample-dc:sample-rack:270acac9-e7d3-422c-b63f-fc210ce53250 - sample-dc:sample-rack:270acac9-e7d3-422c-b63f-fc210ce53250 - - Coordinator: sample-dc:sample-rack:270acac9-e7d3-422c-b63f-fc210ce53250 - [data_center:'sample-dc', rack:'sample-rack', host_id:ac8cb07b-80eb-4882-b49d-183e28076840, release_version:'3.11.6'] - - Coordinator: sample-dc:sample-rack:270acac9-e7d3-422c-b63f-fc210ce53250 - [data_center:'sample-dc', rack:'sample-rack', host_id:270acac9-e7d3-422c-b63f-fc210ce53250, release_version:'3.11.6'] - [data_center:'sample-dc', rack:'sample-rack', host_id:71683027-8b66-420c-aa87-f16ef48e7846, release_version:'3.11.6'] - ``` diff --git a/docs/ingress/kong/ingress/sample-cluster-sample-dc.tcpingress.yaml b/docs/ingress/kong/ingress/sample-cluster-sample-dc.tcpingress.yaml deleted file mode 100644 index 47785fef..00000000 --- a/docs/ingress/kong/ingress/sample-cluster-sample-dc.tcpingress.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: configuration.konghq.com/v1beta1 -kind: TCPIngress -metadata: - name: sample-cluster-sample-dc - namespace: default -spec: - rules: - - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-service - servicePort: 9042 diff --git a/docs/ingress/kong/mtls-sni-ingress/.gitignore b/docs/ingress/kong/mtls-sni-ingress/.gitignore deleted file mode 100644 index 7f47975f..00000000 --- a/docs/ingress/kong/mtls-sni-ingress/.gitignore +++ /dev/null @@ -1 +0,0 @@ -values.yaml diff --git a/docs/ingress/kong/mtls-sni-ingress/README.md b/docs/ingress/kong/mtls-sni-ingress/README.md deleted file mode 100644 index 9a02bab9..00000000 --- a/docs/ingress/kong/mtls-sni-ingress/README.md +++ /dev/null @@ -1,125 +0,0 @@ -# Kong mTLS SNI Ingress - -When leveraging a single endpoint ingress / load balancer we lose the ability to provide token aware routing without the use of SNI. SNI hints to the ingress (via TLS extensions) where the traffic should be routed from the proxy. In this case we use the hostId as the endpoint. - -With mTLS not only does the client authenticate the server, but the server ALSO authenticates the client. This allows for bi-directional authentication and prevents a bad actor from connecting to your cluster without the appropriate certificate. - -**Note:** mTLS is only available with Kong Enterprise. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d create cluster --k3s-server-arg --no-deploy --k3s-server-arg traefik - export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')" - kubectl cluster-info - ``` - -1. Install `cass-operator` via Helm - - ```bash - helm repo add datastax https://datastax.github.io/charts - helm repo update - helm install cass-operator datastax/cass-operator - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f docs/ingress/sample-cluster-sample-dc.yaml - ``` - -1. Expose each pod as a service, **AFTER all pods are up and ready** - - ```bash - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-0 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-1 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-2 - ``` - -1. Generate and install [SSL certificates](../../ssl) - -1. Install Kong with Helm - - ```bash - helm repo add kong https://charts.konghq.com - helm repo update - helm install kong kong/kong \ - --set ingressController.installCRDs=false \ - --set admin.enabled=true \ - --set admin.http.enabled=true \ - --set admin.servicePort=8001 \ - --set admin.type=LoadBalancer - ``` - -1. Patch the Kong deployment to listen on the ingress port (9042 in our example) - - ```bash - kubectl patch deployment kong-kong --patch ' - spec: - template: - spec: - containers: - - name: proxy - env: - - name: KONG_STREAM_LISTEN - # Note the port must match the `port` value in the patched service - value: 0.0.0.0:9042 ssl - ports: - - name: cassandra - # Note this must match the `port` value in the patched service - containerPort: 9042 - protocol: TCP' - ``` - -1. Update the Kong service to include the port we want to forward from. - - ```bash - kubectl patch svc kong-kong-proxy --patch ' - spec: - ports: - # Note the `port` field can be any value. When running multiple clusters they must be different. `targetPort` *must* match the port C* is listening on, default: 9042 - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042' - ``` - -1. Add a separate CA certificate secret for Kong - - ```bash - kubectl create secret generic ca-cert-kong --from-file=cert=../../ssl/ca.pem --from-literal=id=d5551f47-b4b9-4103-adeb-3e462d1ddd8b - kubectl patch secret ca-cert-kong --patch ' - metadata: - labels: - konghq.com/ca-cert: "true"' - ``` - -1. Configure the mTLS Kong plugin - - ```bash - kubectl apply -f docs/ingress/kong/mtls-sni-ingress/mtls-auth.kong-plugin.yaml - ``` - -1. Create a `TCPIngress`. This provides the mapping between Kong ingress and the internal Cassandra service as well as an annotation directing Kong to leverage the mTLS plugin - - ```bash - kubectl apply -f docs/ingress/kong/mtls-sni-ingress/sample-cluster-sample-dc.tcpingress.yaml - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment - - ```bash - mvn exec:exec@mtls-sni-ingress - Discovered Nodes - sample-dc:sample-rack:bbbf5a34-2240-4efb-ac06-c7974a2ec3dd - sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - sample-dc:sample-rack:deab7ace-711c-407f-96a0-bcba5099855b - - Coordinator: sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - [data_center:'sample-dc', rack:'sample-rack', host_id:73a03b32-bdb6-4b2a-a5db-dfd078ec8131, release_version:'3.11.6'] - - Coordinator: sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - [data_center:'sample-dc', rack:'sample-rack', host_id:bbbf5a34-2240-4efb-ac06-c7974a2ec3dd, release_version:'3.11.6'] - [data_center:'sample-dc', rack:'sample-rack', host_id:deab7ace-711c-407f-96a0-bcba5099855b, release_version:'3.11.6'] - ``` diff --git a/docs/ingress/kong/mtls-sni-ingress/mtls-auth.kong-plugin.yaml b/docs/ingress/kong/mtls-sni-ingress/mtls-auth.kong-plugin.yaml deleted file mode 100644 index 3d1eb8a6..00000000 --- a/docs/ingress/kong/mtls-sni-ingress/mtls-auth.kong-plugin.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: configuration.konghq.com/v1 -kind: KongPlugin -metadata: - name: mtls-auth -config: - ca_certificates: - - d5551f47-b4b9-4103-adeb-3e462d1ddd8b - skip_consumer_lookup: true - revocation_check_mode: SKIP -plugin: mtls-auth diff --git a/docs/ingress/kong/mtls-sni-ingress/sample-cluster-sample-dc.tcpingress.yaml b/docs/ingress/kong/mtls-sni-ingress/sample-cluster-sample-dc.tcpingress.yaml deleted file mode 100644 index 1eb232c0..00000000 --- a/docs/ingress/kong/mtls-sni-ingress/sample-cluster-sample-dc.tcpingress.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: configuration.konghq.com/v1beta1 -kind: TCPIngress -metadata: - name: sample-cluster-sample-dc - namespace: default - annotations: - konghq.com/plugins: mtls-auth -spec: - tls: - - hosts: - - k3s.local - - bbbf5a34-2240-4efb-ac06-c7974a2ec3dd - - deab7ace-711c-407f-96a0-bcba5099855b - - 73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - secretName: sample-cluster-sample-dc-cert - rules: - - host: bbbf5a34-2240-4efb-ac06-c7974a2ec3dd - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-0 - servicePort: 9042 - - host: deab7ace-711c-407f-96a0-bcba5099855b - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-1 - servicePort: 9042 - - host: 73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-2 - servicePort: 9042 diff --git a/docs/ingress/kong/mtls-sni-ingress/values.yaml.example b/docs/ingress/kong/mtls-sni-ingress/values.yaml.example deleted file mode 100644 index c2d3dda2..00000000 --- a/docs/ingress/kong/mtls-sni-ingress/values.yaml.example +++ /dev/null @@ -1,22 +0,0 @@ -# Basic values.yaml for Kong for Kubernetes Enterprise -# Several settings (search for the string "CHANGEME") require user-provided -# Secrets. These Secrets must be created before installation. - -image: - repository: kong-docker-kong-enterprise-k8s.bintray.io/kong-enterprise-k8s - tag: 2.0.4.1-centos - pullSecrets: - # CHANGEME: https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-docker-registry-access - - kong-enterprise-k8s-docker - -enterprise: - enabled: true - # CHANGEME: https://github.com/Kong/charts/blob/master/charts/kong/README.md#kong-enterprise-license - license_secret: kong-enterprise-license - -env: - database: "off" - -ingressController: - enabled: true - installCRDs: false diff --git a/docs/ingress/kong/sni-ingress/README.md b/docs/ingress/kong/sni-ingress/README.md deleted file mode 100644 index fcc799c0..00000000 --- a/docs/ingress/kong/sni-ingress/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# Kong SNI Ingress - -When leveraging a single endpoint ingress / load balancer we lose the ability to provide token aware routing without the use of SNI. SNI hints to the ingress (via TLS extensions) where the traffic should be routed from the proxy. In this case we use the hostId as the endpoint. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d create cluster --k3s-server-arg --no-deploy --k3s-server-arg traefik - export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')" - kubectl cluster-info - - # Import images from the local Docker daemon - k3d load image --cluster k3s-default \ - datastax/cass-operator:1.3.0 \ - datastax/cass-config-builder:1.0-ubi7 \ - datastax/dse-server:6.8.26-ubi7 \ - datastax/cassandra:3.11.6-ubi7 - ``` - -1. Install `cass-operator` via Helm - - ```bash - helm repo add datastax https://datastax.github.io/charts - helm repo update - helm install cass-operator datastax/cass-operator - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f docs/ingress/sample-cluster-sample-dc.yaml - ``` - -1. Expose each pod as a service, **AFTER all pods are up and read** - - ```bash - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-0 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-1 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-2 - ``` - -1. Generate and install [SSL certificates](../../ssl) - -1. Install Kong with Helm - - ```bash - helm repo add kong https://charts.konghq.com - helm repo update - helm install kong kong/kong \ - --set ingressController.installCRDs=false \ - --set admin.enabled=true \ - --set admin.http.enabled=true \ - --set admin.servicePort=8001 \ - --set admin.type=LoadBalancer - ``` - -1. Patch the Kong deployment to listen on the ingress port (9042 in our example) - - ```bash - kubectl patch deployment kong-kong --patch ' - spec: - template: - spec: - containers: - - name: proxy - env: - - name: KONG_STREAM_LISTEN - # Note the port must match the `port` value in the patched service - value: 0.0.0.0:9042 ssl - ports: - - name: cassandra - # Note this must match the `port` value in the patched service - containerPort: 9042 - protocol: TCP' - ``` - -1. Update the Kong service to include the port we want to forward from. - - ```bash - kubectl patch svc kong-kong-proxy --patch ' - spec: - ports: - # Note the `port` field can be any value. When running multiple clusters they must be different. `targetPort` *must* match the port C* is listening on, default: 9042 - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042' - ``` - -1. Create a `TCPIngress`. This provides the mapping between Kong ingress and the internal Cassandra service. - - ```bash - kubectl apply -f docs/ingress/kong/sni-ingress/sample-cluster-sample-dc.tcpingress.yaml - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment - - ```bash - Discovered Nodes - sample-dc:sample-rack:bbbf5a34-2240-4efb-ac06-c7974a2ec3dd - sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - sample-dc:sample-rack:deab7ace-711c-407f-96a0-bcba5099855b - - Coordinator: sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - [data_center:'sample-dc', rack:'sample-rack', host_id:73a03b32-bdb6-4b2a-a5db-dfd078ec8131, release_version:'3.11.6'] - - Coordinator: sample-dc:sample-rack:73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - [data_center:'sample-dc', rack:'sample-rack', host_id:bbbf5a34-2240-4efb-ac06-c7974a2ec3dd, release_version:'3.11.6'] - [data_center:'sample-dc', rack:'sample-rack', host_id:deab7ace-711c-407f-96a0-bcba5099855b, release_version:'3.11.6'] - ``` diff --git a/docs/ingress/kong/sni-ingress/sample-cluster-sample-dc.tcpingress.yaml b/docs/ingress/kong/sni-ingress/sample-cluster-sample-dc.tcpingress.yaml deleted file mode 100644 index 6c528921..00000000 --- a/docs/ingress/kong/sni-ingress/sample-cluster-sample-dc.tcpingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: configuration.konghq.com/v1beta1 -kind: TCPIngress -metadata: - name: sample-cluster-sample-dc - namespace: default -spec: - tls: - - hosts: - - k3s.local - - c293a595-a08e-4a9c-b6bc-af5d279ffe76 - - deab7ace-711c-407f-96a0-bcba5099855b - - 73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - secretName: sample-cluster-sample-dc-cert - rules: - - host: c293a595-a08e-4a9c-b6bc-af5d279ffe76 - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-0 - servicePort: 9042 - - host: deab7ace-711c-407f-96a0-bcba5099855b - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-1 - servicePort: 9042 - - host: 73a03b32-bdb6-4b2a-a5db-dfd078ec8131 - port: 9042 - backend: - serviceName: sample-cluster-sample-dc-sample-rack-sts-2 - servicePort: 9042 diff --git a/docs/ingress/sample-cluster-sample-dc.yaml b/docs/ingress/sample-cluster-sample-dc.yaml index 18e1dfe5..8a887bc0 100644 --- a/docs/ingress/sample-cluster-sample-dc.yaml +++ b/docs/ingress/sample-cluster-sample-dc.yaml @@ -7,7 +7,7 @@ metadata: spec: clusterName: sample-cluster serverType: cassandra - serverVersion: "3.11.6" + serverVersion: "4.1.5" managementApiAuth: insecure: {} racks: @@ -27,6 +27,6 @@ spec: # authenticator: org.apache.cassandra.auth.PasswordAuthenticator # authorizer: org.apache.cassandra.auth.CassandraAuthorizer # role_manager: org.apache.cassandra.auth.CassandraRoleManager - jvm-options: + jvm-server-options: initial_heap_size: "800M" max_heap_size: "800M" diff --git a/docs/ingress/traefik/dashboard.ingressroute.yaml b/docs/ingress/traefik/dashboard.ingressroute.yaml deleted file mode 100644 index 5235cc88..00000000 --- a/docs/ingress/traefik/dashboard.ingressroute.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: dashboard -spec: - entryPoints: - - web - routes: - - match: Host(`traefik.k3s.local`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) - kind: Rule - services: - - name: api@internal - kind: TraefikService diff --git a/docs/ingress/traefik/load-balancing/README.md b/docs/ingress/traefik/load-balancing/README.md deleted file mode 100644 index 6c97645e..00000000 --- a/docs/ingress/traefik/load-balancing/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# Traefik Simple Load Balancing - -When leveraging a single endpoint ingress / load balancer we lose the ability to provide token aware routing without the use of SNI (see the [mTLS with SNI guide](../mtls-sni)). **WARNING** This approach does not interact with the traffic at all. All traffic is sent over cleartext without any form of authentication of the server or client.. Note that **_each_** Cassandra cluster running behind the ingress will require it's own endpoint. Without a way to detect the pod we want to connect with it's the only way to differentiate requests. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d c -x "--no-deploy" -x "traefik" - export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')" - kubectl cluster-info - - # Import images from the local Docker daemon - k3d i datastax/cass-operator:1.2.0 - k3d i datastax/cassandra:3.11.6-ubi7 - k3d i datastax/cass-config-builder:1.0-ubi7 - ``` - -1. Install Traefik with Helm - - ```bash - helm repo add traefik https://containous.github.io/traefik-helm-chart - helm repo update - helm install traefik traefik/traefik - ``` - -1. Add an ingress route for the Traefik dashboard and get the IP of the load balancer - - ```bash - kubectl apply -f traefik/dashboard.ingressroute.yaml - kubectl get svc traefik -o jsonpath="{.status.loadBalancer.ingress[].ip} traefik.k3s.local" - ``` - - If you add an entry to your /etc/hosts file with the value from the second command. With this in place the Traefik dashboard may be viewed at http://traefik.k3s.local/dashboard/. - -1. Edit the traefik `deployment` and add an entrypoint for TCP Cassandra traffic. This should be done in the `args` section of the `traefik` container. - - ```bash - kubectl edit deployment traefik - ``` - - ```yaml - - --entryPoints.websecure.address=:8443/tcp - # Add the following line, note the port number does have to be 9042. The value "cassandra" is displayed in the Traefik UI and may also be customized - - --entryPoints.cassandra.address=:9042/tcp - - --api.dashboard=true - ``` - - After saving your changes the deployment will replace the old pod with a new one including the adjusted arguments. Validate the new entrypoint exists in the Traefik dashboard. - -1. With a new EntryPoint defined we must update the existing service with the new ports. - - ```bash - kubectl edit svc traefik - ``` - - ```yaml - - name: websecure - nodePort: 31036 - port: 443 - protocol: TCP - targetPort: websecure - # Add the following section, it is ideal to use the same name as your entrypoint. Additionally the port number MUST match - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042 - ``` - - At this point refreshing the Traefik dashboard should show a new endpoint named `cassandra` running. - -1. Install `cass-operator` via Helm - - ```bash - helm install --namespace=default cass-operator ./charts/cass-operator-chart - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f sample-cluster-sample-dc.yaml - ``` - -1. Create the `IngressTCPRoute`. This provides the mapping between our endpoint and internal service. - - ```bash - kubectl apply -f traefik/load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment diff --git a/docs/ingress/traefik/load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml b/docs/ingress/traefik/load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml deleted file mode 100644 index 1654224f..00000000 --- a/docs/ingress/traefik/load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: sample-cluster-sample-dc -spec: - entryPoints: - - cassandra - routes: - # Match is the rule corresponding to an underlying router. - - match: HostSNI(`*`) - services: - - name: sample-cluster-sample-dc-service - port: 9042 - terminationDelay: 400 - weight: 10 diff --git a/docs/ingress/traefik/mtls-load-balancing/README.md b/docs/ingress/traefik/mtls-load-balancing/README.md deleted file mode 100644 index 52b0335c..00000000 --- a/docs/ingress/traefik/mtls-load-balancing/README.md +++ /dev/null @@ -1,98 +0,0 @@ -# Traefik Simple Load Balancing with mTLS - -When leveraging a single endpoint ingress / load balancer we lose the ability to provide token aware routing without the use of SNI (see the [mTLS with SNI guide](../mtls-sni)). This approach keeps unwanted traffic from reaching the cluster through the use of mTLS terminated at the ingress layer. Note that **_each_** Cassandra cluster running behind the ingress will require it's own endpoint. Without a way to detect the pod we want to connect with it's the only way to differentiate requests. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d c -x "--no-deploy" -x "traefik" - export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')" - kubectl cluster-info - - # Import images from the local Docker daemon - k3d i datastax/cass-operator:1.2.0 - k3d i datastax/cassandra:3.11.6-ubi7 - k3d i datastax/cass-config-builder:1.0-ubi7 - ``` - -1. Install Traefik with Helm - - ```bash - helm repo add traefik https://containous.github.io/traefik-helm-chart - helm repo update - helm install traefik traefik/traefik - ``` - -1. Add an ingress route for the Traefik dashboard and get the IP of the load balancer - - ```bash - kubectl apply -f traefik/dashboard.ingressroute.yaml - kubectl get svc traefik -o jsonpath="{.status.loadBalancer.ingress[].ip} traefik.k3s.local" - ``` - - If you add an entry to your /etc/hosts file with the value from the second command. With this in place the Traefik dashboard may be viewed at http://traefik.k3s.local/dashboard/. - -1. Edit the traefik `deployment` and add an entrypoint for TCP Cassandra traffic. This should be done in the `args` section of the `traefik` container. - - ```bash - kubectl edit deployment traefik - ``` - - ```yaml - - --entryPoints.websecure.address=:8443/tcp - # Add the following line, note the port number does have to be 9042. The value "cassandra" is displayed in the Traefik UI and may also be customized - - --entryPoints.cassandra.address=:9042/tcp - - --api.dashboard=true - ``` - - After saving your changes the deployment will replace the old pod with a new one including the adjusted arguments. Validate the new entrypoint exists in the Traefik dashboard. - -1. With a new EntryPoint defined we must update the existing service with the new ports. - - ```bash - kubectl edit svc traefik - ``` - - ```yaml - - name: websecure - nodePort: 31036 - port: 443 - protocol: TCP - targetPort: websecure - # Add the following section, it is ideal to use the same name as your entrypoint. Additionally the port number MUST match - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042 - ``` - - At this point refreshing the Traefik dashboard should show a new endpoint named `cassandra` running. - -1. Install `cass-operator` via Helm - - ```bash - helm install --namespace=default cass-operator ./charts/cass-operator-chart - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f sample-cluster-sample-dc.yaml - ``` - -1. Generate the TLS certificates and add them as secrets to the cluster with the guide in the [ssl](../ssl) directory. Note you do **NOT** need to specify any of the host ID values as we will not be performing additional routing at the ingress layer. - -1. Install TLS Options to add support for mutual TLS. This configures the CA that must be used in the client certificate - - ```bash - kubectl apply -f traefik/mtls-load-balancing/sample-cluster-sample-dc.tlsoption.yaml - ``` - -1. Create the `IngressTCPRoute`. This provides the mapping between our endpoint and internal service and binds the previously installed tlsoptions to the endpoint. - - ```bash - kubectl apply -f traefik/mtls-load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment diff --git a/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml b/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml deleted file mode 100644 index dde39570..00000000 --- a/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.ingressroutetcp.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: sample-cluster-sample-dc -spec: - entryPoints: - - cassandra - routes: - # Match is the rule corresponding to an underlying router. - - match: HostSNI(`*`) - services: - - name: sample-cluster-sample-dc-service - port: 9042 - terminationDelay: 400 - weight: 10 - tls: - domains: - - main: sample-dc.sample-cluster - options: - name: sample-cluster-sample-dc-options - namespace: default - secretName: sample-cluster-sample-dc-cert - passthrough: false diff --git a/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.tlsoption.yaml b/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.tlsoption.yaml deleted file mode 100644 index 9eb3789e..00000000 --- a/docs/ingress/traefik/mtls-load-balancing/sample-cluster-sample-dc.tlsoption.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: sample-cluster-sample-dc-options - namespace: default -spec: - clientAuth: - secretNames: - - ca-cert - clientAuthType: RequireAndVerifyClientCert - sniStrict: false diff --git a/docs/ingress/traefik/mtls-sni/README.md b/docs/ingress/traefik/mtls-sni/README.md deleted file mode 100644 index d40a20ed..00000000 --- a/docs/ingress/traefik/mtls-sni/README.md +++ /dev/null @@ -1,114 +0,0 @@ -# Traefik with TNS and SNI - -When leveraging a single endpoint ingress / load balancer we naturally remove the ability to route requests based on token awareness. That is unless we leverage TLS with SNI. In this approach the TLS Client HELLO includes a server name which allows the single endpoint to forward the request to the appropriate pod based on rules we specify. - -1. _Optional_ provision a local cluster with k3d. If you already have a cluster provisioned and it is available via `kubectl` you may safely skip this step. - - ```bash - # Create the cluster - k3d c -x "--no-deploy" -x "traefik" - - # Import images from the local Docker daemon - k3d i datastax/cass-operator:1.2.0 - k3d i datastax/cassandra:3.11.6-ubi7 - k3d i datastax/cass-config-builder:1.0-ubi7 - ``` - -1. Install Traefik with Helm - - ```bash - helm repo add traefik https://containous.github.io/traefik-helm-chart - helm repo update - helm install traefik traefik/traefik - ``` - -1. Add an ingress route for the Traefik dashboard and get the IP of the load balancer - - ```bash - kubectl apply -f traefik/mtls-sni/dashboard.ingressroute.yaml - kubectl get svc traefik -o jsonpath="{.status.loadBalancer.ingress[].ip} traefik.k3s.local" - ``` - - If you add an entry to your /etc/hosts file with the value from the second command. With this in place the Traefik dashboard may be viewed at http://traefik.k3s.local/dashboard/. - -1. Edit the traefik `deployment` and add an entrypoint for TCP Cassandra traffic. This should be done in the `args` section of the `traefik` container. - - ```bash - kubectl edit deployment traefik - ``` - - ```yaml - - --entryPoints.websecure.address=:8443/tcp - # Add the following line, note the port number does have to be 9042. The value "cassandra" is displayed in the Traefik UI. - - --entryPoints.cassandra.address=:9042/tcp - - --api.dashboard=true - ``` - - After saving your changes the deployment will replace the old pod with a new one including the adjusted arguments. Validate the new entrypoint exists in the Traefik dashboard. - -1. With a new EntryPoint defined we must update the existing service with the new ports. - - ```bash - kubectl edit svc traefik - ``` - - ```yaml - - name: websecure - nodePort: 31036 - port: 443 - protocol: TCP - targetPort: websecure - # Add the following section - - name: cassandra - port: 9042 - protocol: TCP - targetPort: 9042 - ``` - -1. Install `cass-operator` via Helm - - ```bash - helm install --namespace=default cass-operator ./charts/cass-operator-chart - ``` - -1. Deploy a Cassandra cluster - - ```bash - kubectl apply -f sample-cluster-sample-dc.yaml - ``` - -1. Query the host ID values used in the cluster - - ```bash - kubectl get cassdc -o json | jq ".items[].status.nodeStatuses" - { - "sample-cluster-sample-dc-sample-rack-sts-0": { - "hostID": "d1ba31b6-4b0e-4a7a-ba7e-8721271ae99a", - "nodeIP": "10.42.0.29" - } - } - ``` - -1. Generate the TLS certificates and add them as secrets to the cluster with the guide in the [ssl](../ssl) directory. - -1. Install TLS Options to add support for mutual TLS. This configures the CA that must be used in the client certificate - - ```bash - kubectl apply -f traefik/mtls-sni/sample-cluster-sample-dc.tlsoption.yaml - ``` - -1. Edit and create the `IngressTCPRoute`. This provides the SNI mapping for routing TCP requests from the ingress to individual pods. - - ```bash - kubectl apply -f traefik/mtls-sni/sample-cluster-sample-dc.ingressroutetcp.yaml - ``` - -1. Create the `service` for the pod with `kubectl expose`. Note the service name will match the pod name. - - ```bash - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-0 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-1 - kubectl expose pod sample-cluster-sample-dc-sample-rack-sts-2 - ``` - -1. Check out the [sample application](../../sample-java-application) to validate your deployment diff --git a/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.ingressroutetcp.yaml b/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.ingressroutetcp.yaml deleted file mode 100644 index 353a595f..00000000 --- a/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.ingressroutetcp.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRouteTCP -metadata: - name: sample-cluster-sample-dc -spec: - entryPoints: - - cassandra - routes: - # Match is the rule corresponding to an underlying router. - - match: HostSNI(`ec448e83-8b83-407b-b342-13ce0250001c`) - services: - - name: sample-cluster-sample-dc-sample-rack-sts-0 - port: 9042 - terminationDelay: 400 - weight: 10 - - match: HostSNI(`bba52d6e-8415-4869-ad8f-bf03e136e874`) - services: - - name: sample-cluster-sample-dc-sample-rack-sts-1 - port: 9042 - terminationDelay: 400 - weight: 10 - - match: HostSNI(`efe2564e-f8dc-4b0b-89a4-83cc12ec99a6`) - services: - - name: sample-cluster-sample-dc-sample-rack-sts-2 - port: 9042 - terminationDelay: 400 - weight: 10 - tls: - domains: - - main: sample-dc.sample-cluster - sans: - - ec448e83-8b83-407b-b342-13ce0250001c - - bba52d6e-8415-4869-ad8f-bf03e136e874 - - efe2564e-f8dc-4b0b-89a4-83cc12ec99a6 - options: - name: sample-cluster-sample-dc-options - namespace: default - secretName: sample-cluster-sample-dc-cert - passthrough: false diff --git a/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.tlsoption.yaml b/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.tlsoption.yaml deleted file mode 100644 index 1d6e3abe..00000000 --- a/docs/ingress/traefik/mtls-sni/sample-cluster-sample-dc.tlsoption.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: TLSOption -metadata: - name: sample-cluster-sample-dc-options - namespace: default -spec: - clientAuth: - secretNames: - - ca-cert - clientAuthType: RequireAndVerifyClientCert - sniStrict: true diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt index 65b86227..ff72ff2a 100644 --- a/hack/boilerplate.go.txt +++ b/hack/boilerplate.go.txt @@ -1,5 +1,5 @@ /* -Copyright 2023. +Copyright 2024. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.