Document Ingress controller requirements and alternatives

paralus / website

Paralus website, documentation & blog.

https://www.paralus.io

7 stars 10 forks source link

Document Ingress controller requirements and alternatives #88

Open akshay196 opened 1 year ago

akshay196 commented 1 year ago

Currently Paralus by default installs Contour controller and manages routes using HTTPProxy resources. It would be good to document the followings:

What are the requirements for choosing ingress controllers for Paralus?
List of ingress controllers that works and we have tested.

Joibel commented 1 year ago

I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.

I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).

Would it be possible to get paralus to use the cert-manager generated certificate for .user and .core-connector?

akshay196 commented 1 year ago

I have it working with ingress-nginx running the console ingress, and a service type: LoadBalancer for the rest of it. I understand that this might be less advisable than having a proxy in front of the relay though.

True. However in some cases it would be feasible to use without any third-party proxy for example, local testing.

I failed to get ssl-passthrough on ingress-nginx working (it requires you to put an enablement flag on the controller, which I did, but despite my attempts it was still proxying).

Setting ssl passthrough annotation to ingress resource and enabling ssl passthrough at ingress-nginx controller should have worked..

I have seen many folks go for ingress-nginx so above configuration works let us know so we could document it.

Would it be possible to get paralus to use the cert-manager generated certificate for .user and .core-connector?

Possibly. Need to check though.

NumenDivinum commented 6 months ago

I would say ingress-nginx is way more popular than contour, and most of the users would prefer it. Installing contour for just one service can not be justified for security teams.

I decided to try Paralus with ingress-nginx and failed. SSL Passthrough may work, but it requires enabling a flag in the controller, which is a no-go for production environments. And with cert-manager certificate issued by Let's Encrypt it is not possible to bootstrap a cluster into Paralus - the relay doesn't accept such ceritifcate: {"level":"info","ts":"2024-03-28T08:47:54.636Z","caller":"tunnel/client.go:416","msg":"Relay Agent.Client.paralus-core-relay-agent::dial failed network: tcp addr: 0289c6d7-4v33-4b26-672e-b02192e7894b.core-connector.paralus.some.domain:443 err: tls: failed to verify certificate: x509: certificate signed by unknown authority "}