pieterlange / kube-openvpn

:closed_lock_with_key: Kubernetes native OpenVPN
MIT License
383 stars 57 forks source link

Any way to make the loadbalancer within Kubes? #28

Closed apenney closed 7 years ago

apenney commented 7 years ago

The README states:

 A cloud loadbalancer should be manually configured to route vpn.my.fqdn:1194 to all nodes on port 30xxx.

Is there no way to bring this into kubes itself? I hate having to then maintain something manual that won't automatically fix itself if I had more nodes, update the cluster, etc, this would be a huge problem.

I'm not sure if it's just that I'm too inexperienced with Kubes to know better but I feel like this must be possible. I am guessing because there's a service openvpn-ingress you can't point another service at it?

pieterlange commented 7 years ago

You could actually set the openvpn-ingress Service to use Type: LoadBalancer, which will automatically create a cloud loadbalancer for you, but as you'd still need to point the DNS entry to this loadbalancer i'd rather leave this up to the cluster operator.

I'm not aware of a "default" way to setup these DNS entries but i'm sure some standard will develop Soon :tm:. :) At that point i'm willing to make more/better default choices for users, but currently i think it's best to leave the project as configurable as possible.

Edit: depending on your cloud platform, with my default suggestion of using TCP hostPort there's actually no problem scaling the cluster size, updating etc. With AWS (and https://github.com/coreos/kube-aws) i can simply point the ELB to the ASG on the hostPorts. This will incur an extra TCP hop in most cases, but with the new nodepool feature you could have a specific nodepool (=ASG) for handling ingress (VPN, nginx-ingress, <...>) traffic.

pieterlange commented 7 years ago

It turns out there's actually nothing breaking with using client "server" endpoints that don't match the CN in the certificate, as long as the CA matches.

Still planning on providing a more "newbie proof" solution to this problem, but it looks like it got a whole lot easier (you don't even need to be able to redirect the actual DNS endpont).


LoadBalancer endpoints usually cost additional money so i'm not going to make this the default. It might become available as a "deployment strategy" option later.