Closed bernardhalas closed 2 years ago
During the meeting, we've discussed a particular potential solution to this problem with @miroslavkohutik and @bernardhalas. You may use this idea for the purposes of this task.
There are generally 2 ways: 1) utilizing "load balancer as a service" offerings of the public cloud providers, in unison with their networking offerings, to hook up our Wireguardian VPN with such an LB 2) creating our own improvised load balancers out of virtual machines, e.g. using HAproxy
We prefer the second option at the moment, for simplicity and adaptability. This could technically work for both on-premise and public cloud machines, but we'll probably make it a requirement for them to have public IP addresses. In addition, to guarantee sufficient availability of such an LB solution, we're thinking there should be (at least) 2 of such machines under one IP address, such that it's resilient to failures of some of the LB machines making up the "LB cluster".
The "LB clusters" will have one or more "roles" - e.g. "apiserver" and/or "ingress". There could probably be an arbitrary number of such "LB clusters" per K8s cluster (Zero to N). From the user perspective, later on, this could be customizable in the input config, very similarly to how we were thinking nodepools should work.
I'd like to add one more option to the list. Theoretically, we could rely on DNS-based round-robin loadbalancing. If we tune it well, we can sustain an outage of a single LB from the pool of LBs within a single cloud-provider-domain. For more context, refer here.
I've created a proposal for the architecture of the standard Claudie LB solution. FYI @bernardhalas @miroslavkohutik @samuelstolicny @borkaz
I have finished setting up and testing the POC. Overall I would consider this POC to be a sucess. The following is a report of my work.
Two mirror infrastructures were created in GCP and Hetzner cloud as described in the image below.
A free domain claudie-test.tk with four A records targeting the four LB machines was registered. DNS-level load balancing appears to be done in a random fashion, with session affinity on some client devices (least session affinity was experienced on windows 10 devices using curl). The LB machines run Nginx in load balancing mode to balance traffic between the cluster machines. The cluster machines run basic Nginx instances with distinct index.html files. Nginx load balancing is done in a round-robin fashion as expected. When using curl or web browser, LB machine failures are undetectable from the client's perspective. As long as at least one LB is active, LB outages do not affect new client requests whatsoever (except for DNS affinity).
LB testing was also done using socat, a multipurpose relay tool. TCP and UDP ports 80 and 9090 were tested.
Example test using socat:
socat - udp4-listen:80,reuseaddr,fork
socat - udp:claudie-test.tk:80
A two-way connection is established, with text data sent from client showing up on one of the cluster machine's terminal and vice-versa.Load balancing tests using socat were successful, with both TCP and UDP traffic being load-balanced evenly between the four cluster machines. Note that socat manifests strong DNS affinity - connections originating from one client always use the same load balancing node, regardless of the node's status.
Infrastructure and other relevant files can be found here, VM IP addresses are in the ansible inventory file (log in as root).
I consider this task successfully completed, and the proposed architecture validated for implementation into Claudie.
@miroslavkohutik , on second thought, let's wait for @bernardhalas to review it as well. He can do it within the next 2 weeks.
Please remember that we should still delete the PoC infrastructure. Let's do that before moving this task to "done".
So:
FYI @borkaz
As discussed today, I'll describe the functional tests I have performed:
Test Nginx load balancing in default configuration (Nginx instances on LB machines listen on port 80 and load balance the traffic to cluster machines, Nginx instances on cluster machines listen on port 80 and display distinct web pages).
curl claudie-test.tk
several times, each time you should get a response from a different cluster machinecurl claudie-test.tk
several times again, each time you should get a response from a different cluster machine, but only from the cluster machines with running Nginx (i.e. no Connection refused response)Configue Nginx on LB machines to listen on a different port (e.g. 9090) and repeat the previous test with curl claudie-test.tk:<port>
. Same results are expected.
Test DNS load balancing:
curl claudie-test.tk
several times to make sure session affinity is present. Note the LB machine that respondsGreat work, @miroslavkohutik ! :tada:
Thanks for the work done within this POC. Amazing job. A few remarks:
@miroslavkohutik :
Note that socat manifests strong DNS affinity - connections originating from one client always use the same load balancing node, regardless of the node's status.
What specifically do you mean by regardless of the node's status?
@samuelstolicny : As per:
So:
- wait for Bernard's approval
- delete the PoC infrastructure
- move the task to the "Done" section
I think we should mark this task "Done" only once the above 2 items are completed.
@bernardhalas thanks for asking about that particular note, on second look it's not entirely accurate. Socat picks a random DNS IP and uses it as long as the IP is reachable, even if nginx load balancer on that particular machine is down. It will pick another IP once the original IP becomes unreachable.
Child tasks from #44.
Motivation:
We need to find a feasible LB setup for multi-cloud and hybrid-cloud deployments. In order to be able to start the implementation of the LBs in platform, we want to run a POC on the architectural setup.
Description:
This task is open to figure a way how to deploy LBs for K8s API and Ingress controller(s). Then to run POC of such a setup and to run basic tests on how it's gonna behave. Once we find a working mode, we should assess whether the LB architecture is gonna work for hybrid-cloud setups as well.
Exit criteria: