It is possible to deploy the CloudSoda controller in a “dark deployment” configuration, where the CloudSoda controller only connects to the internet for installations, upgrades, and ad hoc support requests. This adds an additional operational burden for all parties involved and limits CloudSoda features, so it is only done under special circumstances.
As part of a standard CloudSoda installation, the platform handles DNS and generates valid certificates for HTTPS. In a "dark deployment", the customer is responsible for creating DNS records and installing signed certificates for HTTPS.
DNS Creation
Prior to the CloudSoda installation, a server needs to be deployed following CloudSoda server guidelines. As stated in the reference architecture guide, the server should have a single IP address, and that IP address should be used for all the fully qualified domain names (FQDNs). The FQDNs that CloudSoda requires are:
cloudsoda.myco.com
cloudsoda.api.myco.com
cloudsoda.id.myco.com
cloudsoda.docs.myco.com
cloudsoda.agent.myco.com
In the above example, “cloudsoda” is the name of the host and “myco.com” is the domain name that the company uses. The primary FQDN (cloudsoda.myco.com) and the IP address will be needed and should be provided on the install form, so please have this ready prior to requesting the install form.
Certificate Creation
To reduce the cost and maintenance of certificate signing, we recommend adding Subject Alternative Names (SANs) to the certificate. This will create a single certificate that covers all the hostnames. The hostnames are:
cloudsoda.myco.com
cloudsoda.api.myco.com
cloudsoda.id.myco.com
cloudsoda.docs.myco.com
You may notice that there is no certificate requested for the "cloudsoda.agent.myco.com" address. This connection is purely UDP and has its own TLS encryption that does not require an SSL certificate.
Certificate Installation
Once the certificate has been created, combine it with the intermediate certificate (if necessary) and copy the certificate and the key to the controller. SSH into the server and run the following commands.
kubectl -n soda create secret tls viewer-certificate-secret --cert=cert.crt --key=key.key
kubectl -n soda create secret tls identifier-certificate-secret --cert=cert.crt --key=key.key
kubectl -n soda create secret tls interfacer-certificate-secret --cert=cert.crt --key=key.key
kubectl -n soda create secret tls documenter-certificate-secret --cert=cert.crt --key=key.key
If you receive a message that the secrets already exist, you can delete them safely and rerun the operation above.
kubectl -n soda delete secret viewer-certificate-secret
kubectl -n soda delete secret identifier-certificate-secret
kubectl -n soda delete secret interfacer-certificate-secret
kubectl -n soda delete secret documenter-certificate-secret
This is only necessary if you get an error while trying to create your certificate secrets. You delete the old ones then retry the block above that creates the secrets.
You should now be able to browse to https://cloudsoda.myco.com and have a valid cert.
Updates & Support
In a “dark deployment,” updates will need to be scheduled, and remote access will need to be granted so the proper software can be downloaded and provisioned. Moreover, when running a "dark deployment", support can be more challenging as firewall access may need to be granted. Therefore, please ensure there is a rule that can be readily enabled and disabled.
Installing and updating CloudSoda
The CloudSoda controller installs itself automatically when a user runs an install script on the provisioned server. An email will be sent to the main point of contact with a command to run that will pull the script and initiate the installation. Some email systems may alter the URL in the email. If this happens, please contact support@cloudsoda.io. They will assist you in getting the installation process started.
Ports and URLs
The following is a detailed list of ports and cloud endpoints.
Ports: TCP 80, 443 for pulling container images. CloudSoda pulls images from the following locations. These need to be accessible for the install and all updates.
quay.io/frrouting
quay.io/metallb
us-west1-docker.pkg.dev/services-337921
k8s.gcr.io/defaultbackend-amd64
registry.k8s.io/ingress-nginx
docker.io/rancher
public.ecr.aws/gravitational
Ports: TCP 80, 443, 3080 for the control plane. These ports need to be open for install, updates and remote support.
https://cloudsoda.teleport.sh
Port: TCP 50051 for CloudSoda location and price book service.
compass.cloudsoda.io
books.cloudsoda.io
The following endpoints are necessary for the install only. However, we recommend for the install to temporarily allow all HTTPS traffic out to ensure a smooth installation.
https://get.k3s.io
https://k3s-ci-builds.s3.amazonaws.com
https://update.k3s.io
https://cloudsoda.teleport.sh
https://charts.releases.teleport.dev
https://cannery.cloudsoda.io
https://github.com
https://raw.githubusercontent.com
https://api.github.com
https://cloudsodainitscripts-usw2-p-1.s3.amazonaws.com
Comments
0 comments
Article is closed for comments.