README
¶
discovery service demo
We need to build security into the architecture from day one. Sensitive information must be encrypted and test. Following demo presents usage of cert manager and sealed secrets (maybe medium article is better). The demo runs REST application on the top of k3d and intentionally provides functionality on http and https. All is written in GO / k8s
Overview
Service provides configuration to particular k8gb instances during GSLB startup. This solution is useful if you can't provide various configurations during deployment.
Environment variables
| Name | Description | Default |
|---|---|---|
K8GB_DISCOVERY_YAML_URL |
(Required) URL to raw yaml configuration | |
K8GB_DISCOVERY_EXPOSED_PORT |
(Optional) Service listener port | 8080 |
K8GB_DISCOVERY_DURATION |
(Optional) Duration in case you decide to poll yaml configuration <3m; 24h> |
REST-API
| Name | Description |
|---|---|
/healthy |
In case you establish liveness probe |
/discover/:key |
GSLB hits that endpoint to get configuration where key is unique value provided by GSLB |
/restore |
Restores cache from raw YAML (K8GB_DISCOVERY_YAML_URL) |
/metrics |
simple metrics |
example YAML configuration
test-gslb-us: #can I use unique key for particular k8gb instances ? In the worst case I can combine <cluster>:<namespace>:<instance>
clusterGeoTag: us
extGslbClustersGeoTags:
- eu
dnsZone: cloud.example.com
ingressNamespace: k8gb
edgeDNSZone: example.com
edgeDNSServer: 1.1.1.1
test-gslb-eu:
cluster: test-gslb1 # do I need this? isn't enough key e.g. test-gslb-eu
clusterGeoTag: eu
extGslbClustersGeoTags:
- us
dnsZone: cloud.example.com
ingressNamespace: k8gb
edgeDNSZone: example.com
edgeDNSServer: 1.1.1.1
local playground
bump docker version to the latest and install local k3d.
Certificate manager generates self-signed certificate *.example.com the transfered data is still sent encrypted,
but curl https://... will require -k/--insecure argument which will "only make" curl skip certificate validation,
it will not turn off SSL all together. depending on a browser you will need to skip
NET::ERR_CERT_INVALID
error.
echo "127.0.0.1 disco.example.com" >> /etc/hosts
make reset
curl http://disco.example.com:8080/healthy
curl --insecure https://disco.example.com:8443/healthy
curl --insecure https://disco.example.com:8443/sealed-secret
#Check in browser. For the Chrome you have to type "thisisunsafe"
https://disco.example.com:8443/sealed-secret
make stop
To manipulate with sealed-secrets run :
make sealed-secrets
TODO
- RBAC
- sealed secret based on static certificate instead of cluster cert (currently need to regenerate sealed secret per each cluster start)
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
internal
|
|
|
cmd
Package cmd implements one command - listen, listen for k8gb initial requests and returns disco 🕺🕺
|
Package cmd implements one command - listen, listen for k8gb initial requests and returns disco 🕺🕺 |
|
common/depresolver
DepResolver provides configuration for particular services.
|
DepResolver provides configuration for particular services. |
|
common/guard
Package guard panics when error occurs
|
Package guard panics when error occurs |
|
common/log
Package log provides logger in global scope see: https://github.com/sirupsen/logrus
|
Package log provides logger in global scope see: https://github.com/sirupsen/logrus |
|
imports
Package imports is responsible for downloading and pre-compiling go modules, see: Dockerfile
|
Package imports is responsible for downloading and pre-compiling go modules, see: Dockerfile |
|
services/discovery/internal/cache
package contains Disco cache
|
package contains Disco cache |