Channels
  • Gavin

    Gavin

    1 year ago
    Small config dump before I raise an example config. Working ingress-nginx config for k8s
    apiVersion: <http://networking.k8s.io/v1beta1|networking.k8s.io/v1beta1>
    kind: Ingress
    metadata:
      name: fleetdm-fleet-ingress
      namespace: default
      annotations:
        <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
        # GRPCS to allow GPRC-SSL for the kolide-launcher used by our instances.
        <http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: HTTPS
        # NGINX cannot do GPRC-SSL termination passthrough the SSL connection.
        <http://ingress.kubernetes.io/force-ssl-redirect|ingress.kubernetes.io/force-ssl-redirect>: 'true'
        <http://ingress.kubernetes.io/ssl-passthrough|ingress.kubernetes.io/ssl-passthrough>: 'true'
        # <http://nginx.ingress.kubernetes.io/proxy-request-buffering|nginx.ingress.kubernetes.io/proxy-request-buffering>: off
        <http://nginx.ingress.kubernetes.io/server-snippet|nginx.ingress.kubernetes.io/server-snippet>: |
          location /metrics {
            return 403;
          }
          location /debug {
            return 403;
          }
          location /version {
            return 403;
          }
    
          location /kolide.launcher.QueryTarget/GetTargets {
            port_in_redirect off;
    
            set $balancer_ewma_score -1;
            set $proxy_upstream_name "default-fleet-loadbalancer-8080";
            set $proxy_host          $proxy_upstream_name;
            set $pass_access_scheme  $scheme;
    
            set $pass_server_port    $server_port;
    
            set $best_http_host      $http_host;
            set $pass_port           $pass_server_port;
    
    
            grpc_set_header X-Forwarded-For        $remote_addr;
    
            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout;
            proxy_next_upstream_timeout             0;
            proxy_next_upstream_tries               3;
    
            grpc_pass <grpcs://upstream_balancer>;
    
            proxy_redirect                          off;
          }
    
          location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ {
    
            port_in_redirect off;
    
            set $balancer_ewma_score -1;
            set $proxy_upstream_name "default-fleet-loadbalancer-8080";
            set $proxy_host          $proxy_upstream_name;
            set $pass_access_scheme  $scheme;
    
            set $pass_server_port    $server_port;
    
            set $best_http_host      $http_host;
            set $pass_port           $pass_server_port;
    
    
            grpc_set_header X-Forwarded-For        $remote_addr;
    
            # In case of errors try the next upstream server before returning an error
            proxy_next_upstream                     error timeout;
            proxy_next_upstream_timeout             0;
            proxy_next_upstream_tries               3;
    
            grpc_pass <grpcs://upstream_balancer>;
    
            proxy_redirect                          off;
          }
      labels:
        app: fleet-webserver
    ....

    @User you may find this of interest as you were the main person I found asking for it and @User thanks for the blog post
  • defensivedepth

    defensivedepth

    1 year ago
    no problem! 🙂
  • hilt

    hilt

    1 year ago
    awesome - just what I need! thanks @Gavin + @defensivedepth
  • Gavin

    Gavin

    1 year ago
    FYI this started to fall over around 1K hosts I am working on another change this now.
  • defensivedepth

    defensivedepth

    1 year ago
    @hilt hey hilt, long time no talk 🙂
  • hilt

    hilt

    1 year ago
    hey @defensivedepth - hope you are going well! I’ve got time this week if you wanted to have a quick chat