GitHub - alexellis/inlets-operator: Get a public Kubernetes LoadBalancer for you...
source link: https://github.com/alexellis/inlets-operator
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
README.md
inlets-operator
Get a Kubernetes LoadBalancer where you never thought it was possible.
In cloud-based Kubernetes solutions, Services can be exposed as type "LoadBalancer" and your cloud provider will provision a LoadBalancer and start routing traffic, in another word: you get ingress to your service.
inlets-operator brings that same experience to your local Kubernetes or k3s cluster (k3s/k3d/minikube/microk8s/Docker Desktop/KinD). The operator automates the creation of an inlets exit-node on public cloud, and runs the client as a Pod inside your cluster. Your Kubernetes Service
will be updated with the public IP of the exit-node and you can start receiving incoming traffic immediately.
Who is this for?
This solution is for users who want to gain incoming network access (ingress) to their private Kubernetes clusters running on their laptops, VMs, within a Docker container, on-premises, or behind NAT. The cost of the LoadBalancer with a IaaS like DigitalOcean is around 5 USD / mo, which is 10 USD cheaper than an AWS ELB or GCP LoadBalancer.
Whilst 5 USD is cheaper than a "Cloud Load Balancer", this tool is for users who cannot get incoming connections due to their network configuration, not for saving money vs. public cloud.
Status and backlog
This version of the inlets-operator is a early proof-of-concept, but it builds upon inlets, which is stable and widely used.
Backlog completed:
- Provision VMs/exit-nodes on public cloud
- Provision to Packet.com
- Provision to DigitalOcean
- Automatically update Service type LoadBalancer with a public IP
- Tunnel L7
http
traffic - In-cluster Role, Dockerfile and YAML files
- Raspberry Pi / armhf build and YAML file
- Ignore Services with
dev.inlets.manage: false
annotation
Backlog pending:
- Garbage collect hosts when CRD is deleted
- CI with Travis (use openfaas-incubator/openfaas-operator as a sample)
- ARM64 (Graviton/Odroid/Packet.com) Dockerfile/build and K8s YAML files
- Automate
wss://
for control-port - Move control-port and
/tunnel
endpoint to high port i.e.31111
- Provision to EC2
- Provision to GCP
- Tunnel any
tcp
traffic (usinginlets-pro
)
Inlets tunnels HTTP traffic at L7, so the inlets-operator can be used to tunnel HTTP traffic. A new project I'm working on called inlets-pro tunnels any TCP traffic at L4 i.e. Mongo, Redis, NATS, SSH, TLS, whatever you like.
Author
inlets and inlets-operator are brought to you by Alex Ellis. Alex is a CNCF Ambassador and the founder of OpenFaaS.
If you like this project, then join dozens of other developers by Sponsoring Alex and his OSS work through GitHub Sponsors today.
Video demo
This video demo shows a single-node VM running on k3s on Packet.com, and the inlets exit node also being provisioned on Packet's infrastructure.
See an alternative video showing my cluster running with KinD on my Mac and the exit node being provisioned on DigitalOcean:
Step-by-step tutorial
Running in-cluster, using DigitalOcean for the exit node
You can also run the operator in-cluster, a ClusterRole is used since Services can be created in any namespace, and may need a tunnel.
# Create a secret to store the access token kubectl create secret generic inlets-access-key \ --from-literal inlets-access-key="$(cat ~/Downloads/do-access-token)" # Apply the operator deployment and RBAC role kubectl apply -f ./artifacts/operator-rbac.yaml kubectl apply -f ./artifacts/operator-amd64.yaml
Running on a Raspberry Pi (armhf), using DigitalOcean for the exit node
To get a LoadBalancer for services running on your Raspberry Pi, use the armhf deployment file:
# Create a secret to store the access token kubectl create secret generic inlets-access-key \ --from-literal inlets-access-key="$(cat ~/Downloads/do-access-token)" # Apply the operator deployment and RBAC role kubectl apply -f ./artifacts/operator-rbac.yaml kubectl apply -f ./artifacts/operator-armhf.yaml
Run the Go binary with Packet.com
Assuming you're running a local cluster with KinD:
Sign up to Packet.com and get an access key, save it in ~/packet-token
kubectl apply ./aritifacts/crd.yaml export PACKET_PROJECT_ID="" # Populate from dashboard export GOPATH=$HOME/go/ go get -u github.com/alexellis/inlets-operator cd $GOPATH/github.com/alexellis/inlets-operator go get go build && ./inlets-operator --kubeconfig "$(kind get kubeconfig-path --name="kind")" --access-key=$(cat ~/packet-token) --project-id="${PACKET_PROJECT_ID}"
Run the Go binary with DigitalOcean
Assuming you're running a local cluster with KinD:
Sign up to DigitalOcean.com and get an access key, save it in ~/do-access-token
.
kubectl apply ./aritifacts/crd.yaml export GOPATH=$HOME/go/ go get -u github.com/alexellis/inlets-operator cd $GOPATH/github.com/alexellis/inlets-operator go get go build && ./inlets-operator --kubeconfig "$(kind get kubeconfig-path --name="kind")" --access-key=$(cat ~/do-access-token) --provider digitalocean
Monitor/view logs
kubectl logs deploy/inlets-operator -f
Get a LoadBalancer provided by inlets
kubectl run nginx-1 --image=nginx --port=80 --restart=Always kubectl run nginx-2 --image=nginx --port=80 --restart=Always kubectl expose deployment nginx-1 --port=80 --type=LoadBalancer kubectl expose deployment nginx-2 --port=80 --type=LoadBalancer kubectl get svc kubectl get tunnel nginx-tunnel-1 -o yaml kubectl get svc kubectl logs deploy/nginx-1-tunnel-client
Check the IP of the LoadBalancer and then access it via the Internet.
Example with OpenFaaS, make sure you give the port
a name
of http
, otherwise a default of 80
will be used incorrectly.
apiVersion: v1 kind: Service metadata: name: gateway namespace: openfaas labels: app: gateway spec: ports: - name: http port: 8080 protocol: TCP targetPort: 8080 nodePort: 31112 selector: app: gateway type: LoadBalancer
To ignore a service such as traefik
type in: kubectl annotate svc/traefik -n kube-system dev.inlets.manage=false
Contributing
Contributions are welcome, see the CONTRIBUTING.md guide.
Similar projects / products and alternatives
- metallb - open source LoadBalancer for private Kubernetes clusters, no tunnelling.
- inlets - inlets provides an L7 HTTP tunnel for applications through the use of an exit node, it is used by the inlets operator
- inlets pro - L4 TCP tunnel, which can tunnel any TCP traffic and is on the roadmap for the inlets-operator
- Cloudflare Argo - paid SaaS product from Cloudflare for Cloudflare customers and domains - K8s integration available through Ingress
- ngrok - a popular tunnelling tool, restarts every 7 hours, limits connections per minute, paid SaaS product with no K8s integration available
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK