-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support using a LoadBalancer service in front of the submariner-gateway #1071
Comments
this may help with the asymmetry between inbound and outbound IP: |
@raffaelespazzoli Is the LoadBalancer resource available on all clouds? I guess yes, but I had a question about that. |
This questions is a bit confusing. LoadBalancer is not a resource, it's a type of service and the Service is a core resource available in Kubernetes. Is the LoadBalacer type of service honored in all of the clouds? It depends what you include in that definition of cloud. For the big commercial clouds the answer is yes. |
This need further exploration work:
|
By "distros" I meant the managed Kubernetes offerings (AKS, EKS, GKE, etc) which are very popular among our users. |
We tried the following model One network LoadBalancer for IPSEC is created on each cluster for each gateway, and that LoadBalancer is announced At this point the connections (at least in the way we configure them via whack) don't establish. Pluto When GW1 tries to contact GW2 LB on 3.139.173.17, it will leave the left private network using the SNAT Same in the other direction. Sometimes it gets even weirder (you will see in the attached logs that on pluto always end up responding with NO_PROPOSAL_CHOSEN Feb 18 17:02:41.038572: | ISAKMP_v2_IKE_SA_INIT message received on 10.0.132.131:4500 but no connection has been authorized with policy ........ I was expecting that pluto would at least identify the packets received based on the ID that we configure (the internal IP of the WARNING: for the following details the IP addresses don't fully match the above diagrams because they belong For example, on the left cluster we configure the connections with whack:
And on the right cluster:
We are checking with the libreswan team if:
side_a & side_b logs which from the submariner gateway containing the pluto debug output.: |
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
bump |
@raffaelespazzoli Interesting project. |
No because there is no way to disable the cloud provider behavior. Also
many cloud providers don't let you create control the network and create
ips.
…On Sun, May 16, 2021, 12:46 AM jawabuu ***@***.***> wrote:
@raffaelespazzoli <https://github.com/raffaelespazzoli> Interesting
project.
Can keepalived-operator be used with cloud providers in cases where I do
not want to the cloud configured load-balancer?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1071 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABPERXAPCM4HW3DMSFTKIGLTN5EYVANCNFSM4VVHZDBQ>
.
|
|
@jawabuu I don't understand where you are going with this reasoning. On major cloud providers (AWS, Azure, Google) the LoadBalancer Service API feature is provided directly by Kubernetes + cloud provider. The issue might exist on those Kubernetes deployment where there is no cloud provider or the provider does not implement the LoadBalancer Service API. In those instances the mentioned operators: MetalLB and keepalived can help. Either way in this context we assume that something is implementing the LoadBalancer service API and we are reasoning on how to leverage this fact for the submariner ingress traffic. |
@raffaelespazzoli I do understand this. I'm aware that this is off track to the issue but it's my first encounter with keepalived-operator and was just exploring possibilities. : ) |
you can contact me, sure.
…On Sun, May 16, 2021 at 10:08 AM jawabuu ***@***.***> wrote:
@raffaelespazzoli <https://github.com/raffaelespazzoli> I do understand
this. I'm aware that this is off track to the issue but it's my first
encounter with keepalived-operator and was just exploring possibilities. : )
I'm actually focusing on cloud providers that do not configure
cloud-loadbalancers/lack managed kubernetes services.
I will probably raise the query in that repo.
Could I reach you on slack?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1071 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABPERXDU4O5IWBWHVFCXI7LTN7GWNANCNFSM4VVHZDBQ>
.
--
ciao/bye
Raffaele
|
From the point of view of submariner, anything that will obey the LoadBalancer API, create a public IP and redirect UDP traffic to the submariner-gateway port it may work. |
@mangelajo This is sufficient. |
🎉 Great news! Looks like all the dependencies have been resolved: 💡 To add or remove a dependency please update this issue/PR description. Brought to you by Dependent Issues (:robot: ). Happy coding! |
Related-Issue: submariner-io#1071 Related-Issue: submariner-io/submariner-operator#1406
SUBMARINER_PUBLICIP is now accepted as part of the input environment variables. This environment variable will override the default. The order of preferrence for setting the public IP resolvers on a gateway will remain as follows: 1) Annotation set on the gateway as gateway.submariner.io/public-ip=.... 2) Environment variable passed as SUBMARINER_PUBLICIP 3) the default `"api:api.ipify.org,api:api.my-ip.io/ip,api:ip4.seeip.org"` Related-Issue: submariner-io#1071 Related-Issue: submariner-io/submariner-operator#1406 Signed-off-by: Miguel Angel Ajo <[email protected]>
SUBMARINER_PUBLICIP is now accepted as part of the input environment variables. This environment variable will override the default. The order of preferrence for setting the public IP resolvers on a gateway will remain as follows: 1) Annotation set on the gateway as gateway.submariner.io/public-ip=.... 2) Environment variable passed as SUBMARINER_PUBLICIP 3) the default `"api:api.ipify.org,api:api.my-ip.io/ip,api:ip4.seeip.org"` Related-Issue: #1071 Related-Issue: submariner-io/submariner-operator#1406 Signed-off-by: Miguel Angel Ajo <[email protected]>
Adds --disable-gateways parameter for: `subctl cloud prepare aws` This functionality is to be used with the LoadBalancer support which doesn't require dedicated gateways, (and doesn't work with them right now if they are on the public subnet). Fixes-Issue: submariner-io/cloud-prepare#49 Related-Issue: submariner-io/submariner#1071 Signed-off-by: Miguel Angel Ajo <[email protected]>
Adds --disable-gateways parameter for: `subctl cloud prepare aws` This functionality is to be used with the LoadBalancer support which doesn't require dedicated gateways, (and doesn't work with them right now if they are on the public subnet). Fixes-Issue: submariner-io/cloud-prepare#49 Related-Issue: submariner-io/submariner#1071 Signed-off-by: Miguel Angel Ajo <[email protected]>
Adds --disable-gateways parameter for: `subctl cloud prepare aws` This functionality is to be used with the LoadBalancer support which doesn't require dedicated gateways, (and doesn't work with them right now if they are on the public subnet). Fixes-Issue: submariner-io/cloud-prepare#49 Related-Issue: submariner-io/submariner#1071 Signed-off-by: Miguel Angel Ajo <[email protected]>
Adds --disable-gateways parameter for: `subctl cloud prepare aws` This functionality is to be used with the LoadBalancer support which doesn't require dedicated gateways, (and doesn't work with them right now if they are on the public subnet). Fixes-Issue: submariner-io/cloud-prepare#49 Related-Issue: submariner-io/submariner#1071 Signed-off-by: Miguel Angel Ajo <[email protected]>
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions. |
SUBMARINER_PUBLICIP is now accepted as part of the input environment variables. This environment variable will override the default. The order of preferrence for setting the public IP resolvers on a gateway will remain as follows: 1) Annotation set on the gateway as gateway.submariner.io/public-ip=.... 2) Environment variable passed as SUBMARINER_PUBLICIP 3) the default `"api:api.ipify.org,api:api.my-ip.io/ip,api:ip4.seeip.org"` Related-Issue: submariner-io/submariner#1071 Related-Issue: submariner-io/submariner-operator#1406 Signed-off-by: Miguel Angel Ajo <[email protected]>
What would you like to be added:
Automatic LoadBalancer creation that points to each gateway node, providing an external IP.
Why is this needed:
Currently the gateway nodes need to have a public IP address that can be targeted by other nodes,
but that's not supported on some deployment models, and something that we workaround via terraform
scripts.
Items:
Depends on Verify if ipsec-preferred server will work with a network LoadBalancer on AWS #1310
The text was updated successfully, but these errors were encountered: