Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grpc support #499

Open
brookatlas opened this issue Nov 10, 2024 · 1 comment
Open

Grpc support #499

brookatlas opened this issue Nov 10, 2024 · 1 comment
Assignees
@jonstacks
Labels
question Further information is requested

Comments

@brookatlas
Copy link

Description

From what I know, ngrok supposedly supports tcp connections tunneling, and http/2 as well.

Was trying to other day to use ngrok to expose a local argocd instance, as part of a workshop Im making, just to realize ngrok does not support grpc for the ingress controller.

Is there a workaround around it? is there anyone who would like to see this feature except me?

Also, is it even possible with the existing sdk used for the operator?

Use Case

Trying to expose argocd over ngrok ingress in k8s.

It needs both http/https and grpc.

Related issues

No response
@brookatlas brookatlas added enhancement New feature or request needs-triage Issues that need triage labels Nov 10, 2024
@jonstacks
Copy link
Collaborator

Hi @brookatlas,

This should already be possible today. I run argo with the ngrok-operator in my home lab. Here is how I am running it:

---
# IPPolicy is optional if you want to restrict traffic to argocd by IPs
kind: IPPolicy
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
  name: argocd-ip-allowlist
  namespace: argocd
spec:
  description: "Trusted IPs"
  rules:
  - action: allow
    cidr: '1.2.3.4/32' # Replace this with your IP 
    description: "Trusted IP"
---
# This uses the ipRestriction module to restrict traffic to argocd
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
  name: argocd-access
  namespace: argocd
modules:
  ipRestriction:
    policies: ["argocd-ip-allowlist"]
---
# This modifies the argocd-server service to tell the ngrok-operator that the upstream
# is served over TLS and the app protocol is http/2
apiVersion: v1
kind: Service
metadata:
  name: argocd-server
  namespace: argocd
  annotations:
    k8s.ngrok.com/app-protocols: '{"https": "HTTPS"}'
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    port: 443
    protocol: TCP
    appProtocol: k8s.ngrok.com/http2 # OR "kubernetes.io/h2c"
    targetPort: 8080
  selector:
    app.kubernetes.io/name: argocd-server
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-ingress
  namespace: argocd
  annotations:
    # (Optional) ExternalDNS annotations if using your own domain. If using a ngrok managed domain,
    # these can be omitted
    external-dns.alpha.kubernetes.io/hostname: argocd.mydomain.xyz
    external-dns.alpha.kubernetes.io/ttl: 1m
    # (Optional) Use the argocd-acess moduleset to restrict access by IPs
    k8s.ngrok.com/modules: argocd-access
spec:
  ingressClassName: ngrok
  rules:
  - host: argocd.mydomain.xyz
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              name: https

And then logging in with argocd login argocd.mydomain.xyz --grpc-web.

Let me know if you run into any problems.

@jonstacks jonstacks self-assigned this Nov 12, 2024
@jonstacks jonstacks added question Further information is requested and removed enhancement New feature or request needs-triage Issues that need triage labels Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonstacks jonstacks

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jonstacks @brookatlas