Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Opt-in to endpoints for Load balancer Services #568

Merged
merged 3 commits into from
Jan 14, 2025
Merged

feat: Opt-in to endpoints for Load balancer Services #568

merged 3 commits into from
Jan 14, 2025

Conversation

jonstacks
Copy link
Collaborator

What

Overview

ngrok is migrating from Edges to Endpoints. This allows users to opt-in to using endpoints instead of edges for Load Balancer Services by adding the annotation k8s.ngrok.com/use-endpoints: "true" (in most cases).

Potential Rough Edges (Running List)

A few cases that notable cases where this migration isn't perfect and could use more consideration or changes:

  1. TLS Edges default to terminating TLS at the ngrok edge. Cloud Endpoints with urls that look like tls://<domain> do not terminate TLS by default and need to supply a terminate-tls traffic policy action if they want TLS to be terminated at ngrok.
    There are a few workarounds for this, but if you are already using modulesets you can create the following moduleset and specify a min version for TLS termination. As part of the transparent migration from modulesets -> trafficpolicy when using endpoints, this will instruct it to terminate TLS. Ex:
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: NgrokModuleSet
metadata:
  name: tls
  namespace: default
modules:
  tlsTermination:
    minVersion: "1.2"

Then you just need to make sure to add the the tls NgrokModuleSet to the list of modules on a service, like so:

apiVersion: v1
kind: Service
metadata:
  annotations:
    k8s.ngrok.com/modules: only-trusted-ips, tls
    k8s.ngrok.com/use-endpoints: "true"
  1. Note: We are missing equivalent traffic policy actions for SAML, OIDC, and oAuth modules.

How

This change allows users to opt-in to using endpoints instead of edges. There is a slight refactor for the different types of "resolvers" to their own package so that we can use those resolvers in the util package without creating circular dependencies.

The current design is if the k8s.ngrok.com/use-endpoints: "true" annotation is present, it will attempt to transparently convert the modulesets from the modulesets annotation to equivalent traffic policy. If that fails because we don't have support for a given module in traffic policy or the annotation does not exist, it will fall back to using edges for minimal impact.

Breaking Changes

No, there should not be any breaking changes. All of this work outside of the refactor is hidden behind an opt-in annotation.

@jonstacks
refactor: Add new resolvers package
a896c96
@jonstacks
feat: Add useEndpoints featureflag to LB Service controller
bafac62
@jonstacks
fix: enum and default for tlsedge terminateAt
cc3717c 
Fixes ERR_NGROK_224: The value '' is not valid for the terminate_at property of the TLS Termination endpoint configuration module
@jonstacks jonstacks self-assigned this Jan 10, 2025
@jonstacks jonstacks requested a review from a team as a code owner January 10, 2025 12:30
@github-actions github-actions bot added area/controller Issues dealing with the controller area/helm-chart Issues dealing with the helm chart labels Jan 10, 2025
@jonstacks jonstacks added this pull request to the merge queue Jan 14, 2025
Merged via the queue into ngrok:main with commit 7cbe57e Jan 14, 2025
8 checks passed
@jonstacks jonstacks deleted the lb-services-feature-flag branch January 14, 2025 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Alice-Lilith Alice-Lilith Alice-Lilith approved these changes

Assignees

@jonstacks jonstacks

Labels
area/controller Issues dealing with the controller area/helm-chart Issues dealing with the helm chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonstacks @Alice-Lilith