Proxies Pool
1. Introduction
Le proxies pool est l'ensemble des machines qui exteriorise les services. Elle comporte 2 machines ou plusieurs et a pour but de rediriger le traffic vers l'interieur de la stack. Elle apporte une sécurité supplimentaire à l'infrastructure.
2. Architecture
The Gateway Pool is divided into two groups:
3. kube-gateway-pool
3.1. Roles
This group is a component of the Kubernetes cluster, allowing it to expose its services. Indeed, the exposure of cluster services to the web servers passes exclusively through this group of machines.
3.2. Networking
- Network Interfaces:
- gateway-network
- box-network
3.3. Volumes
3.4. Installation
To form the group, it must be declared in the main inventory.
kube_gateway_pool:
hosts:
gateway-1:
gateway-2:
gateway-3:
3.5. Routing
Kubernetes services can only pass through the gateways if they are declared in:
Declaration:
- Main inventory
app:
arogcd:
port: XXXXX
pgadmin4:
port: XXXXX
dash:
port: XXXXX
keycloak:
port: XXXXX
kibana:
port: XXXXX
v-admin:
port: XXXXX
- Declaration in group vars (Magic variables)
proxies:
target:
group: kube_gateway_pool
routes:
pgadmin4:
mode: http
address: "*"
port: "{{ app.pgadmin4.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.pgadmin4.port }}"
balance: roundrobin
options:
- httplog
argocd:
mode: http
address: "*"
port: "{{ app.arogcd.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.arogcd.port }}"
balance: roundrobin
options:
- httplog
dash:
mode: http
address: "*"
port: "{{ app.dash.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.dash.port }}"
balance: roundrobin
options:
- httplog
keycloak:
mode: http
address: "*"
port: "{{ app.keycloak.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.keycloak.port }}"
balance: roundrobin
options:
- httplog
kibana:
mode: http
address: "*"
port: "{{ app.kibana.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.kibana.port }}"
balance: roundrobin
options:
- httplog
v-admin:
mode: http
address: "*"
port: "{{ app.v-admin.port }}"
destination:
group:
name: kube_gateway_pool
port: "{{ app.v-admin.port }}"
balance: roundrobin
options:
- httplog
3.6. High Availability
High availability is ensured through replication. There are three machines with more or less the same configuration.
3.7. Security
- iptables: managed by Kubernetes
3.8. Applications
- HAProxy for traffic routing
- GlusterFS for clustering volumes
- Kubernetes services for exposing deployments
- Containerd as the container runtime
4. nat-gateway-pool
4.1. Roles
This group primarily serves:
- To route requests to the internet (Iptables, Netplan)
- To serve internal applications of the box, specifically those used for the box's operation
- To monitor the infrastructure (Prometheus, Grafana) and services (Consul). Indeed, this is the only group with access to various networks, giving it the legitimacy to monitor all logical units of the infrastructure.
4.2. Networking
- Network Interfaces:
- gateway-network
- box-network
4.3. Volumes
4.4. Installation
nat_gateway_pool:
vars:
output_interface: gateway-network
input_interface: box-network
vips:
box-network:
virtual_router_id: 5
vip: 192.168.1.254
hosts:
gateway-4:
box-network:
priority: 200
state: MASTER
gateway-5:
box-network:
priority: 100
state: BACKUP
4.5. Routing
Each machine in the nat-gateway-pool primarily routes traffic to the functional services of the box, i.e., applications used to manage or monitor the cluster's proper functioning. Examples include Grafana, Prometheus, Consul, Gitlab.
4.6. High Availability
4.7. Security
- iptables (to be completed)
4.8. Applications
- Grafana
- Prometheus
- Consul
- Gitlab