discovery service demo

We need to build security into the architecture from day one. Sensitive information must be encrypted and test. Following demo presents usage of cert manager and sealed secrets (maybe medium article is better). The demo runs REST application on the top of k3d and intentionally provides functionality on http and https. All is written in GO / k8s

Overview

Service provides configuration to particular k8gb instances during GSLB startup. This solution is useful if you can't provide various configurations during deployment.

Environment variables

Name	Description	Default
`K8GB_DISCOVERY_YAML_URL`	(Required) URL to raw yaml configuration
`K8GB_DISCOVERY_EXPOSED_PORT`	(Optional) Service listener port	`8080`
`K8GB_DISCOVERY_DURATION`	(Optional) Duration in case you decide to poll yaml configuration <`3m`; `24h`>

REST-API

Name	Description
`/healthy`	In case you establish liveness probe
`/discover/:key`	GSLB hits that endpoint to get configuration where key is unique value provided by GSLB
`/restore`	Restores cache from raw YAML (`K8GB_DISCOVERY_YAML_URL`)
`/metrics`	simple metrics

example YAML configuration

test-gslb-us: #can I use unique key for particular k8gb instances ? In the worst case I can combine <cluster>:<namespace>:<instance>
  clusterGeoTag: us
  extGslbClustersGeoTags:
    - eu
  dnsZone: cloud.example.com
  ingressNamespace: k8gb
  edgeDNSZone: example.com
  edgeDNSServer: 1.1.1.1
test-gslb-eu:
  cluster: test-gslb1 # do I need this? isn't enough key e.g. test-gslb-eu
  clusterGeoTag: eu
  extGslbClustersGeoTags:
    - us
  dnsZone: cloud.example.com
  ingressNamespace: k8gb
  edgeDNSZone: example.com
  edgeDNSServer: 1.1.1.1

local playground

bump docker version to the latest and install local k3d. Certificate manager generates self-signed certificate *.example.com the transfered data is still sent encrypted, but curl https://... will require -k/--insecure argument which will "only make" curl skip certificate validation, it will not turn off SSL all together. depending on a browser you will need to skip NET::ERR_CERT_INVALID error.

echo "127.0.0.1 disco.example.com" >> /etc/hosts 
make reset
curl http://disco.example.com:8080/healthy
curl --insecure https://disco.example.com:8443/healthy
curl --insecure https://disco.example.com:8443/sealed-secret
#Check in browser. For the Chrome you have to type "thisisunsafe"
https://disco.example.com:8443/sealed-secret 
make stop

To manipulate with sealed-secrets run :

make sealed-secrets

TODO

RBAC
sealed secret based on static certificate instead of cluster cert (currently need to regenerate sealed secret per each cluster start)

Name		Name	Last commit message	Last commit date
Latest commit History 81 Commits
.github		.github
app		app
internal		internal
sealed-secrets		sealed-secrets
test		test
.gitignore		.gitignore
.golangci.yaml		.golangci.yaml
Dockerfile		Dockerfile
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
go.mod		go.mod
go.sum		go.sum
k3d-config.yaml		k3d-config.yaml
main.go		main.go

License

kuritka/service-discovery-simple

Folders and files

Latest commit

History

Repository files navigation

discovery service demo

Overview

Environment variables

REST-API

example YAML configuration

local playground

TODO

About

Topics

Resources

License

Stars

Watchers

Forks

Languages