search

KongZ / charts

Source for Helm chart repositories contribution
https://charts.kong-z.com/
Apache License 2.0
62 stars 66 forks source link

One Load Balancer for The Cluster #160

Open tigerpeng2001 opened 4 months ago

tigerpeng2001 commented 4 months ago

Hello,

I deployed a cluster in AWS EKS with version 1.7.12 years ago with the values copied below. There are a few issues I'd like to address for deploying a new Graylog cluster (with the latest version). Could you help?

  1. Three classic load balancers were created for the old cluster. How can one ALB or NLB be used for service, master, and input (all accesses, including the service, are private)
  2. The service load balancer deployed is set to TCP, not HTTPS or SSL as I expected.
  3. How to restrict the inbound/outbound access to 10.0.0.0/8

Thank you,

...
  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/753cd66c-e8c2-4092-97e9-2a9603033723
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    master:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
        port: 9000
  input:
     tcp:
       service:
         annotations:
           service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
         type: LoadBalancer
         loadBalancerIP:
       ports:
         - name: gelf
           port: 12201
         - name: syslog
           port: 12202
  externalUri:....
NAME                       TYPE           CLUSTER-IP       EXTERNAL-IP                                                                        PORT(S)                           AGE
graylog                    ClusterIP      None             <none>                                                                             9000/TCP                          2y51d
graylog-master             LoadBalancer   172.20.101.245   internal-a7767d80ac73c49aeb2cedef3c567bb0-1132647746.us-east-1.elb.amazonaws.com   9000:30155/TCP                    2y51d
graylog-tcp                LoadBalancer   172.20.224.75    internal-ade74e0a8cd3441ddbbb6b8291b262fc-1583953693.us-east-1.elb.amazonaws.com   12201:30667/TCP,12202:31423/TCP   2y51d
graylog-web                LoadBalancer   172.20.93.132    internal-a617e2764ffd04ac598c0e26bf160db3-2060849374.us-east-1.elb.amazonaws.com   443:32415/TCP                     2y51d
KongZ commented 4 months ago

  1. You can create ALB by annotate the graylog.ingress.annotations with kubernetes.io/ingress.class: alb. Class name may different depends on how you setup ALB controller.

  2. The NLB is already TCP.

  3. To restrict ALB uses alb.ingress.kubernetes.io/inbound-cidrs annotation on graylog.ingress.annotations and NLB uses loadBalancerSourceRanges on graylog.input.tcp.service

graylog:
  ingress:
    annotations:
      kubernetes.io/ingress.class: aws-lb
      alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/8
  input:
    tcp:
      ports:
        - name: syslog1
          port: 5140
      service:
        annotations:
           service.beta.kubernetes.io/aws-load-balancer-type: "external"
           service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
        loadBalancerSourceRanges:
          - 10.0.0.0/8
tigerpeng2001 commented 4 months ago

How about the client web interface? I used classic ELB and attempted to use STL/SHTTP with a cert managed by ACM . The related part is copied below again

...
  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/753cd66c-e8c2-4092-97e9-2a9603033723
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
    master:
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
        port: 9000
  input:
     tcp:
       ...
tigerpeng2001 commented 4 months ago

Another question: Is there any schedule for releasing a new chart that supports Graylog6?

KongZ commented 4 months ago

Classic load balancer can be created without adding annotation. But it is remove in AWS LB Controller 2.7.2

See https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html

Another question: Is there any schedule for releasing a new chart that supports Graylog6?

I don't have a specific date yet.

tigerpeng2001 commented 1 month ago

Hi Kong,

  service:
    type: LoadBalancer
    port: 443
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-scheme: internal
      service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:123456789012:certificate/2035edce-ba7b-4b7a-871a-6fbf89fc64b5
    master:
      notations:
        service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8
  input:
    tcp:
      ports:
       - name: gelf
         port: 12201
       - name: syslog
         port: 12202
      service:
        type: LoadBalancer
        notations:
          service.beta.kubernetes.io/load-balancer-source-ranges: 10.0.0.0/8
tigerpeng2001 commented 1 month ago

Hi Kong,

All the health checks for the master and the input target groups fail. The web target group is healthy.

The notations for master and input do not affect the load balancer's attributes, such as the security group rules.

Any suggestion?

Thanks, Tiger