search

ngrok / ngrok-operator

The official ngrok Kubernetes Operator
https://ngrok.com
MIT License
203 stars 26 forks source link

Grpc support #499

Open brookatlas opened 1 week ago

brookatlas commented 1 week ago

Description

From what I know, ngrok supposedly supports tcp connections tunneling, and http/2 as well.

Was trying to other day to use ngrok to expose a local argocd instance, as part of a workshop Im making, just to realize ngrok does not support grpc for the ingress controller.

Is there a workaround around it? is there anyone who would like to see this feature except me?

Also, is it even possible with the existing sdk used for the operator?

Use Case

Trying to expose argocd over ngrok ingress in k8s.

It needs both http/https and grpc.

Related issues

No response

jonstacks commented 4 days ago

Hi @brookatlas,

This should already be possible today. I run argo with the ngrok-operator in my home lab. Here is how I am running it:

---
# IPPolicy is optional if you want to restrict traffic to argocd by IPs
kind: IPPolicy
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
  name: argocd-ip-allowlist
  namespace: argocd
spec:
  description: "Trusted IPs"
  rules:
  - action: allow
    cidr: '1.2.3.4/32' # Replace this with your IP 
    description: "Trusted IP"
---
# This uses the ipRestriction module to restrict traffic to argocd
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
  name: argocd-access
  namespace: argocd
modules:
  ipRestriction:
    policies: ["argocd-ip-allowlist"]
---
# This modifies the argocd-server service to tell the ngrok-operator that the upstream
# is served over TLS and the app protocol is http/2
apiVersion: v1
kind: Service
metadata:
  name: argocd-server
  namespace: argocd
  annotations:
    k8s.ngrok.com/app-protocols: '{"https": "HTTPS"}'
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    port: 443
    protocol: TCP
    appProtocol: k8s.ngrok.com/http2 # OR "kubernetes.io/h2c"
    targetPort: 8080
  selector:
    app.kubernetes.io/name: argocd-server
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-ingress
  namespace: argocd
  annotations:
    # (Optional) ExternalDNS annotations if using your own domain. If using a ngrok managed domain,
    # these can be omitted
    external-dns.alpha.kubernetes.io/hostname: argocd.mydomain.xyz
    external-dns.alpha.kubernetes.io/ttl: 1m
    # (Optional) Use the argocd-acess moduleset to restrict access by IPs
    k8s.ngrok.com/modules: argocd-access
spec:
  ingressClassName: ngrok
  rules:
  - host: argocd.mydomain.xyz
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              name: https

And then logging in with argocd login argocd.mydomain.xyz --grpc-web.

Let me know if you run into any problems.