search

DefGuard / deployment

Deployment files (docker, kubernetes, installer) for defguard enterprise VPN with MFA
Other
9 stars 9 forks source link

Add support for GRPC for nginx Ingress #39

Closed orlovmyk closed 1 month ago

orlovmyk commented 7 months ago

Currently as I understand you are testing only with traefik, so it's only supported ingress

I use Nginx Ingress (official one, not k8s) https://artifacthub.io/packages/helm/nginx/nginx-ingress

My solution for now is to create custom ingress to route traffic

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: defguard-custom-ingress-grpc
  namespace: "base"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.org/grpc-services: defguard-grpc
spec:
  ingressClassName: nginx
  rules:
  - host: defguard-custom-grpc.myk.pp.ua
    http:
      paths:
      - backend:
          service:
            name: defguard-grpc
            port:
              number: 50055
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - defguard-custom-grpc.myk.pp.ua
    secretName: defguard-custom-ingress-grpc-tls

And also I had to enable http2 according to https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource#listeners

kind: ConfigMap
metadata:
  name: nginx-config
  namespace: "base"
data:
  http2: "true"
teon commented 7 months ago

@orlovmyk we are using DG with external load balancers (like HAproxy) thus we have not added any rev-proxy to Kubernetes. If you setup works - you are welcome to do add a pull request in the documentation section:

https://defguard.gitbook.io/defguard/admin-and-features/setting-up-your-instance/kubernetes

like: Nginx Proxy with GRPC

Thank you in advance 🙏

orlovmyk commented 7 months ago

I am glad to add something like this, but I think it's more about helm chart functionality rather than docs section. Don't want to add dirty hacks to official doc. Will try to modify chart on my free time. Also I saw there is branch called new_chart, are there any plans to finish it? Don't want to modify old one and create merge conflicts.

Regarding

we are using DG with external load balancers (like HAproxy) thus we have not added any rev-proxy to Kubernetes.

I think you are wrong, in other case there is no need to create GRPC ingress: https://github.com/DefGuard/deployment/blob/059e88b78750c5116f8c1d40305f36a35298c4a2/charts/defguard/values.yaml#L20

Thanks in advance

teon commented 1 month ago

@orlovmyk done in new deployments by @filiprafaj and @vanazdenek 🙏