On Thu, Mar 10, 2016 at 1:28 PM, Nishadi Kirielle <[email protected]> wrote:
> Thank you for the suggestion of using the default self signed certificate. > I have attempted SSL termination approach of terminating the SSL > connection at the load balancer and sending unencrypted connections to the > backend server via the ha proxy configuration of 'ssl verify none'. This > approach allows https traffic to be load balanced and exposed. > > Terminating SSL at the middle of a communication flow would introduce security risks. Thanks > Thanks > > > On Thu, Mar 10, 2016 at 11:20 AM, Imesh Gunaratne <[email protected]> wrote: > >> >> >> On Thu, Mar 10, 2016 at 10:49 AM, Nishadi Kirielle <[email protected]> >> wrote: >> >>> Hi all, >>> I have only tested for http traffic earlier. Although the kubernetes >>> service loadbalancer template has support for https, when I have deployed >>> an application ( dell/tomcat ) which has the support for https, the ha >>> proxy load balancer did not identify it as a https service in the haproxy >>> configuration file. It just identified the application as a http >>> application and updated the configuration file accordingly. >>> >> >> Yes, in our K8S services we have defined the protocol as TCP, not as >> HTTPS/SSL. Therefore there is no way for the service load balancer to find >> this information by looking at the services. >> >> >>> Thus I have manually altered the ha proxy configuration file to support >>> for https traffic with a self signed certificate specific for the node ip. >>> But it fails in accessing the application, since the application needs the >>> self signed certificate specific to the application. >>> As a solution for this I'm trying with bind option 'cert' to bind >>> several certificate files[2] of the specific applications. >>> >> >> Shall we try with the default self signed certificate distributed with a >> WSO2 product? >> >> Thanks >> >>> >>> Any suggestions on this are highly appreciated. >>> [1] . >>> https://github.com/kubernetes/contrib/tree/master/service-loadbalancer >>> [2] . >>> https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt >>> >>> Thanks >>> >>> On Wed, Mar 9, 2016 at 10:33 AM, Imesh Gunaratne <[email protected]> wrote: >>> >>>> Hi Deep, >>>> >>>> On Tue, Mar 8, 2016 at 8:08 PM, Deependra Ariyadewa <[email protected]> >>>> wrote: >>>> >>>>> >>>>> On Mon, Mar 7, 2016 at 10:30 AM, Nishadi Kirielle <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> I have written the blog post on load balancing and session affinity >>>>>> in kubernetes. [1] >>>>>> >>>>> >>>>> I am going test session affinity for HTTPS triffic in Kubernetes >>>>> following your configurations. Did you try to enable session affinity for >>>>> HTTPS triffic in Kubernetes. >>>>> >>>>> We would need to configure haproxy with relevant SSL certificates for >>>> HTTPS to work. I do not think we tested it. See [1] for the haproxy config >>>> template used by the service load balancer. This will get packaged to the >>>> Docker service load balancer Docker image [2]. >>>> >>>> [1] >>>> https://github.com/kubernetes/contrib/blob/master/service-loadbalancer/template.cfg >>>> [2] >>>> https://github.com/kubernetes/contrib/blob/master/service-loadbalancer/Dockerfile >>>> >>>> Thanks >>>> >>>> >>>>> Thanks, >>>>> Deependra. >>>>> >>>>>> >>>>>> Thank you >>>>>> >>>>>> [1]. >>>>>> http://nishadikirielle.blogspot.com/2016/03/load-balancing-kubernetes-services-and.html >>>>>> >>>>>> On Fri, Mar 4, 2016 at 8:22 PM, Nishadi Kirielle <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Thanks a lot. I will write a blog post and share it. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 4, 2016 at 6:07 PM, Sagara Gunathunga <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> Great, it would be better if Nishadi can write a step by step blog >>>>>>>> post about how to do this. We had to do a 30 hours hackathon to change >>>>>>>> MSF4J Pet-store sample due to this issue :) >>>>>>>> >>>>>>>> Thanks ! >>>>>>>> >>>>>>>> On Fri, Mar 4, 2016 at 5:54 PM, Imesh Gunaratne <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Indeed! Overall great effort!! >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> On Fri, Mar 4, 2016 at 3:36 PM, Lakmal Warusawithana < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Great work Nishadi! >>>>>>>>>> >>>>>>>>>> On Fri, Mar 4, 2016 at 3:34 PM, Nishadi Kirielle < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> In attempting to configure session affinity in kubernetes load >>>>>>>>>>> balancing, I tried to run nginx alpha ingress controller[1] to >>>>>>>>>>> expose the >>>>>>>>>>> services through ingress. But the generated nginx configuration >>>>>>>>>>> file were >>>>>>>>>>> missing the service ports to access the services. Thus I have >>>>>>>>>>> manually >>>>>>>>>>> updated the configuration file to check the functionality of >>>>>>>>>>> ingress. Since >>>>>>>>>>> session affinity is available in haproxy, I have created a haproxy >>>>>>>>>>> docker >>>>>>>>>>> container and manually updated its configuration file in order to >>>>>>>>>>> check its >>>>>>>>>>> functionality with ingress. >>>>>>>>>>> As per a suggestion of Imesh and Lakmal, I have tried kubernetes >>>>>>>>>>> service loadbalancer repo[2]. There, they have developed the load >>>>>>>>>>> balancing >>>>>>>>>>> directly with pods, bypassing the services. This procedure corrects >>>>>>>>>>> the >>>>>>>>>>> session affinity problem in load balancing in kubernetes. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> [1] . >>>>>>>>>>> https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx-alpha >>>>>>>>>>> [2] . >>>>>>>>>>> https://github.com/kubernetes/contrib/tree/master/service-loadbalancer >>>>>>>>>>> >>>>>>>>>>> On Mon, Feb 29, 2016 at 12:35 PM, Imesh Gunaratne < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Feb 29, 2016 at 12:12 PM, Lakmal Warusawithana < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Feb 29, 2016 at 11:56 AM, Imesh Gunaratne < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Lakmal, >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Feb 29, 2016 at 11:37 AM, Lakmal Warusawithana < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> What is we are tying to do here? Are we trying to verify the >>>>>>>>>>>>>>> ClientIP when exposing service via NodePort? IMO its working >>>>>>>>>>>>>>> without issue. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Yes the first step was to verify ClientIP and then try to >>>>>>>>>>>>>> get an Ingress Controller either with nginx or haproxy working >>>>>>>>>>>>>> with session >>>>>>>>>>>>>> affinity. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> If you want to verify ClientIP, Udara has written very simple >>>>>>>>>>>>> code, better to used that. >>>>>>>>>>>>> >>>>>>>>>>>>> Guys, we need to resolve this very fast... too much time >>>>>>>>>>>>> taking basic stuff, which we already verified :( >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> We are on it Lakmal! Will resolve this ASAP. >>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Feb 29, 2016 at 11:37 AM, Lakmal Warusawithana < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> What is we are tying to do here? Are we trying to verify the >>>>>>>>>>>>>>> ClientIP when exposing service via NodePort? IMO its working >>>>>>>>>>>>>>> without issue. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, Feb 28, 2016 at 11:58 PM, Nishadi Kirielle < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In order to test the session affinity in Kubernetes, I have >>>>>>>>>>>>>>>> deployed WordPress on a kubernetes cluster with several >>>>>>>>>>>>>>>> replicas and >>>>>>>>>>>>>>>> enabled the session affinity by setting >>>>>>>>>>>>>>>> service.spec.sessionAffinity to >>>>>>>>>>>>>>>> "ClientIP". When the kubernetes service is exposed through >>>>>>>>>>>>>>>> NodePort, I have >>>>>>>>>>>>>>>> tested the accuracy of session affinity using Apache bench >>>>>>>>>>>>>>>> mark for simple >>>>>>>>>>>>>>>> load testing. With a load of 1000 requests and a maximum of 2 >>>>>>>>>>>>>>>> requests >>>>>>>>>>>>>>>> running concurrently, all requests returned successfully >>>>>>>>>>>>>>>> without a failure. >>>>>>>>>>>>>>>> Thus the session affinity is functioning properly when the >>>>>>>>>>>>>>>> services are >>>>>>>>>>>>>>>> exposed via NodePort. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The next attempt is to test the session affinity with >>>>>>>>>>>>>>>> ingress API exposing the services. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Any feedback or suggestions are highly appreciated. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> *Nishadi Kirielle* >>>>>>>>>>>>>>>> *Software Engineering Intern* >>>>>>>>>>>>>>>> Mobile : +94 (0) 714722148 >>>>>>>>>>>>>>>> Blog : http://nishadikirielle.blogspot.com/ >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Dev mailing list >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> Lakmal Warusawithana >>>>>>>>>>>>>>> Director - Cloud Architecture; WSO2 Inc. >>>>>>>>>>>>>>> Mobile : +94714289692 >>>>>>>>>>>>>>> Blog : http://lakmalsview.blogspot.com/ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Dev mailing list >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> *Imesh Gunaratne* >>>>>>>>>>>>>> Senior Technical Lead >>>>>>>>>>>>>> WSO2 Inc: http://wso2.com >>>>>>>>>>>>>> T: +94 11 214 5345 M: +94 77 374 2057 >>>>>>>>>>>>>> W: http://imesh.io >>>>>>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Lakmal Warusawithana >>>>>>>>>>>>> Director - Cloud Architecture; WSO2 Inc. >>>>>>>>>>>>> Mobile : +94714289692 >>>>>>>>>>>>> Blog : http://lakmalsview.blogspot.com/ >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> *Imesh Gunaratne* >>>>>>>>>>>> Senior Technical Lead >>>>>>>>>>>> WSO2 Inc: http://wso2.com >>>>>>>>>>>> T: +94 11 214 5345 M: +94 77 374 2057 >>>>>>>>>>>> W: http://imesh.io >>>>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> *Nishadi Kirielle* >>>>>>>>>>> *Software Engineering Intern* >>>>>>>>>>> Mobile : +94 (0) 714722148 >>>>>>>>>>> Blog : http://nishadikirielle.blogspot.com/ >>>>>>>>>>> [email protected] >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Lakmal Warusawithana >>>>>>>>>> Director - Cloud Architecture; WSO2 Inc. >>>>>>>>>> Mobile : +94714289692 >>>>>>>>>> Blog : http://lakmalsview.blogspot.com/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Imesh Gunaratne* >>>>>>>>> Senior Technical Lead >>>>>>>>> WSO2 Inc: http://wso2.com >>>>>>>>> T: +94 11 214 5345 M: +94 77 374 2057 >>>>>>>>> W: http://imesh.io >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Dev mailing list >>>>>>>>> [email protected] >>>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sagara Gunathunga >>>>>>>> >>>>>>>> Architect; WSO2, Inc.; http://wso2.com >>>>>>>> V.P Apache Web Services; http://ws.apache.org/ >>>>>>>> Linkedin; http://www.linkedin.com/in/ssagara >>>>>>>> Blog ; http://ssagara.blogspot.com >>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Dev mailing list >>>>>>>> [email protected] >>>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Nishadi Kirielle* >>>>>>> *Software Engineering Intern* >>>>>>> Mobile : +94 (0) 714722148 >>>>>>> Blog : http://nishadikirielle.blogspot.com/ >>>>>>> [email protected] >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Nishadi Kirielle* >>>>>> *Software Engineering Intern* >>>>>> Mobile : +94 (0) 714722148 >>>>>> Blog : http://nishadikirielle.blogspot.com/ >>>>>> [email protected] >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Deependra Ariyadewa >>>>> WSO2, Inc. http://wso2.com/ http://wso2.org >>>>> >>>>> email [email protected]; cell +94 71 403 5996 ; >>>>> Blog http://risenfall.wordpress.com/ >>>>> PGP info: KeyID: 'DC627E6F' >>>>> >>>>> *WSO2 - Lean . Enterprise . Middleware* >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Imesh Gunaratne* >>>> Senior Technical Lead >>>> WSO2 Inc: http://wso2.com >>>> T: +94 11 214 5345 M: +94 77 374 2057 >>>> W: http://imesh.io >>>> Lean . Enterprise . Middleware >>>> >>>> >>> >>> >>> -- >>> *Nishadi Kirielle* >>> *Software Engineering Intern* >>> Mobile : +94 (0) 714722148 >>> Blog : http://nishadikirielle.blogspot.com/ >>> [email protected] >>> >> >> >> >> -- >> *Imesh Gunaratne* >> Senior Technical Lead >> WSO2 Inc: http://wso2.com >> T: +94 11 214 5345 M: +94 77 374 2057 >> W: http://imesh.io >> Lean . Enterprise . Middleware >> >> > > > -- > *Nishadi Kirielle* > *Software Engineering Intern* > Mobile : +94 (0) 714722148 > Blog : http://nishadikirielle.blogspot.com/ > [email protected] > -- *Imesh Gunaratne* Senior Technical Lead WSO2 Inc: http://wso2.com T: +94 11 214 5345 M: +94 77 374 2057 W: http://imesh.io Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
