Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user guide for TLS ingress #6861

Merged
merged 5 commits into from
May 30, 2023
Merged

Add user guide for TLS ingress #6861

merged 5 commits into from
May 30, 2023

Conversation

dimas-b
Copy link
Member

@dimas-b dimas-b commented May 19, 2023

No description provided.

adutra
adutra reviewed May 23, 2023
View reviewed changes
site/docs/guides/tls.md Outdated Show resolved Hide resolved
site/docs/guides/tls.md Show resolved Hide resolved
site/docs/guides/tls.md Show resolved Hide resolved
@dimas-b dimas-b requested a review from adutra May 25, 2023 20:46
adutra
adutra previously approved these changes May 26, 2023
View reviewed changes
site/docs/guides/tls.md Outdated Show resolved Hide resolved
site/docs/guides/tls.md Outdated Show resolved Hide resolved
site/docs/guides/tls.md Show resolved Hide resolved
site/docs/guides/tls.md Show resolved Hide resolved
site/docs/guides/tls.md
kubectl get ingress -n nessie-ns
```

Add an entry in the local hosts file (e.g. `/etc/hosts`) mapping that IP address to `nessie.local`, for example:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this works, you could avoid fiddling with /etc/hosts by using one or both of the methods below:

  1. for curl only: use the --resolve option, e.g.
curl --resolve "nessie.local:443:$(minikube ip)" https://nessie.local/api/v2/config
  1. for all tools and browsers: use a nip.io hostname, e.g. nessie.$(minikube ip).nip.io: such a host name will resolve to whatever IP minikube ip indicates. E.g.
ping nessie.$(minikube ip).nip.io
PING nessie.192.168.49.2.nip.io (192.168.49.2): 56 data bytes
64 bytes from 192.168.49.2: icmp_seq=0 ttl=64 time=0.108 ms

Then you would use nessie.192.168.49.2.nip.io as the hostname for your certificates and ingress rules.

Copy link
Member Author

@dimas-b dimas-b May 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but the certificate must have the exact host name, which is not known until we start / configure ingress... I guess that would create a chicken and egg problem. Even if adding the TLS cert after startup works, it might be too complex for a guide... WDYT?

Also, the java client still depends on OS-level host name resolution (although I did not put and example for it).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

site/docs/guides/tls.md
Use `curl` to verify that the server is accessible:

```shell
$ curl https://nessie.local/api/v2/config
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I finally got this to work on macOS, so I'm approving the PR, but it required many changes:

  1. First, ingress ports are not exposed on macOS, see docker: Ingress not exposed on MacOS kubernetes/minikube#7332 for background. So mac users must run the following command after installing the ingress:
minikube tunnel

This will detect the ingress rule and open ports for it:

✅  Tunnel successfully started
📌  NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible ...
❗  The service/ingress nessie requires privileged ports to be exposed: [80 443]
🔑  sudo permission will be asked for it.
🏃  Starting tunnel for service nessie.
Password:
  1. Once this is done, the service is accessible, but under 127.0.0.1, not $(minikube ip). So you need to change all the commands above, e.g.
curl --resolve "nessie.local:443:127.0.0.1" https://nessie.local/api/v2/config
{
  "defaultBranch" : "main",
  "minSupportedApiVersion" : 1,
  "maxSupportedApiVersion" : 2,
  "actualApiVersion" : 2,
  "specVersion" : "2.0.0",
  "noAncestorHash" : "2e1cfa82b035c26cbbbdae632cea070514eb8b773f616aaeaf668e2f0be8f10d",
  "repositoryCreationTimestamp" : "2023-05-26T10:28:53.462334804Z",
  "oldestPossibleCommitTimestamp" : "2023-05-26T10:28:53.462334804Z"
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adutra : Could you update with Mac specifics after merging? I do not have a Mac to play with :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, will do!

@dimas-b @adutra
Update site/docs/guides/tls.md
19d617e 
Co-authored-by: Alexandre Dutra <[email protected]>
@dimas-b dimas-b requested a review from adutra May 26, 2023 14:07
@dimas-b dimas-b merged commit 08cbc61 into projectnessie:main May 30, 2023
@dimas-b dimas-b deleted the tls-guide branch May 30, 2023 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adutra adutra adutra approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dimas-b @adutra