Skip to content

Commit

Permalink
stop documenting node proxy; document router proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
@qrkourier
qrkourier committed Sep 15, 2023
1 parent c98ed5c commit d27207c
Showing 1 changed file with 20 additions and 15 deletions.
35 changes: 20 additions & 15 deletions docusaurus/docs/guides/kubernetes/workload-tunneling/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,28 @@ This guide will help you discover the best strategy and tool for connecting a Ku
```mermaid
graph TB;
A{Pod connects to an </br>OpenZiti Service?}
A -- Yes --> B{Intercept at pod or </br>node level?}
A -- Yes --> B{Intercept at pod or </br>cluster level?}
subgraph egressGraph ["&nbsp;"]
direction BT
B -- NODE --> F(["transparent node proxy </br>(tunneler daemonset) </br>provides DNS and IP interception to </br>all pods on selected nodes"])
B -- CLUSTER --> F(["router proxy </br>(tcp proxy) </br>provides cluster DNS and TCP proxy </br>for each bound Ziti service"])
B -- POD ---> G{Pod uses DNS or </br>static IP to connect to </br>the OpenZiti Service?}
G -- YES --> H(["transparent sidecar </br>(iptables tproxy)</br> provides DNS and </br>IP interception to the pod"])
G -- NO ---> I(["loopback sidecar </br>(tcp proxy)</br>binds a local port to </br>each OpenZiti Service"])
end
class egressGraph subgraphClass
A -- No --------> K{OpenZiti Router </br>is installed?}
subgraph ingressGraph ["&nbsp;"]
K -- Yes --> J([OpenZiti Router provides </br>ingress to</br>cluster services])
K -- Yes --> J([OpenZiti Router reverse proxy </br>provides ingress to</br>cluster services])
K -- No ---> C{Nginx </br>is </br>installed?}
C -- Yes --> D([Nginx container with </br>OpenZiti proxy module </br>provides ingress to</br>cluster services])
C -- No ---> E([ziti-host </br>reverse proxy pod</br>provides ingress </br>to cluster services])
end
click D "../../securing-apis/aks-api-with-nginx-ziti-module/" "OpenZiti Nginx Module"
click E "./kubernetes-host/" "ziti-host"
click F "./kubernetes-daemonset/" "node proxy"
click H "./kubernetes-sidecar/" "transparent sidecar"
click I "#loopback-proxy-sidecar" "loopback sidecar"
click D "#nginx-proxy-module" "OpenZiti Nginx Module"
click E "#ziti-host-as-reverse-proxy-pod" "ziti-host"
click F "#ziti-router-as-cluster-service-proxy" "cluster proxy"
click H "#ziti-tunnel-as-transparent-proxy-sidecar" "transparent sidecar"
click I "#ziti-tunnel-as-loopback-proxy-sidecar" "loopback sidecar"
click J "#ziti-router-as-reverse-proxy" "cluster reverse proxy"
```

## Strategies and Solutions
Expand All @@ -38,34 +39,38 @@ In the chart above, there are several strategies and solutions for connecting a

An OpenZiti Tunneler can be used to intercept pod egress. One important thing to know is that the OpenZiti Tunneler that is used in this way may also be used to "host" OpenZiti Services in order to provide ingress to cluster services.

#### [Node Proxy Daemonset](./kubernetes-daemonset.md)
<!-- #### [Node Proxy Daemonset](./kubernetes-daemonset.md)
Deploying a daemonset of privileged `ziti-edge-tunnel run` pods on selected nodes is a simple way to enable OpenZiti services in a cluster. The daemonset pods intercept egress from pods and provide a DNS nameserver for CoreDNS. Like any other OpenZiti Tunneler, the OpenZiti Identity used by the daemonset may be configured to host OpenZiti Services, i.e. provide OpenZiti ingress to cluster services. For more information, see the [node proxy](./kubernetes-daemonset.md) page.
Deploying a daemonset of privileged `ziti-edge-tunnel run` pods on selected nodes is a simple way to enable OpenZiti services in a cluster. The daemonset pods intercept egress from pods and provide a DNS nameserver for CoreDNS. Like any other OpenZiti Tunneler, the OpenZiti Identity used by the daemonset may be configured to host OpenZiti Services, i.e. provide OpenZiti ingress to cluster services. For more information, see the [node proxy](./kubernetes-daemonset.md) page. -->

#### [Transparent Proxy Sidecar](./kubernetes-sidecar.md)
#### [ziti-tunnel as Transparent Proxy Sidecar](./kubernetes-sidecar.md)

You can deploy a transparent proxy sidecar to intercept pod egress. The sidecar provides a DNS nameserver that is used by the workload application to resolve OpenZiti Service addresses. The sidecar container runs `ziti tunnel tproxy` to create IPTables TPROXY rules in the pod. For more information, see the [transparent proxy sidecar](./kubernetes-sidecar.md) quickstart.

#### [Loopback Proxy Sidecar](./kubernetes-sidecar.md)
#### [ziti-tunnel as Loopback Proxy Sidecar](./kubernetes-sidecar.md)

You can deploy a loopback proxy sidecar for pod egress to OpenZiti Services. The sidecar binds OpenZiti Services to a local port on the pod's loopback interface, e.g., 127.0.0.1:8443. The workload application must be configured to connect to the local port. This mode of operation has a few differences in comparison to the [transparent proxy sidecar](./kubernetes-sidecar.md) quickstart.

1. The sidecar container runs `ziti tunnel proxy` instead of `ziti tunnel tproxy`.
2. The sidecar container does not need the CAP_NET_ADMIN capability.
3. The sidecar container does not need a `dnsPolicy` or explicit nameserver.

#### [ziti-router as Cluster Service Proxy](/guides/kubernetes/hosting/kubernetes-router.mdx)

The OpenZiti Router can be deployed to provide a cluster-wide proxy for OpenZiti Services, optionally exposing the Ziti Services' proxy ports with an Ingress or LoadBalancer. This is accomplished by first creating the router with tunnel mode enabled, then deploying the router Helm chart with input values specifying each Ziti Service for which the router's tunnel identity is authorized by a Dial Service Policy. For more information, see the [OpenZiti Router](/guides/kubernetes/hosting/kubernetes-router.mdx) page.

### Ingress to Cluster Services

Any OpenZiti Tunneler can be used to "host" an OpenZiti Service. This hosting begins a few moments after an OpenZiti Service becomes authorized for the OpenZiti Identity in use by the SDK. This section is about different ways to deploy an OpenZiti Tunneler to provide ingress to cluster services.

#### [OpenZiti Router](/guides/kubernetes/hosting/kubernetes-router.mdx)
#### [ziti-router as Reverse Proxy](/guides/kubernetes/hosting/kubernetes-router.mdx)

The OpenZiti Router's built-in tunneler can provide ingress to cluster services. This is done by creating the router with tunneler mode enabled, and then installing the OpenZiti Router with Helm with the tunneler mode set to `host` (the default). For more information, see the [OpenZiti Router](/guides/kubernetes/hosting/kubernetes-router.mdx) page.
The OpenZiti Router's built-in tunneler can provide ingress to cluster services by acting as a reverse proxy for traffic arriving at the router via Ziti and then flowing out to a normal cluster service. This is accomplished by creating the router with tunneler mode enabled, and then installing the OpenZiti Router Helm chart with the tunneler mode set to `host` (the default). Each "hosted" Ziti service must have a Ziti hosting configuration that specifies the server address that is reachable by the router pod, e.g., the cluster service's domain name. For more information, see the [OpenZiti Router](/guides/kubernetes/hosting/kubernetes-router.mdx) page.

#### [Nginx Proxy Module](/guides/securing-apis/aks-api-with-nginx-ziti-module.md)

The OpenZiti Nginx Proxy Module can be used to provide ingress to cluster services. The module binds OpenZiti Services to an Nginx stream context and forward requests to the configured upstreams. Unlike the rest of these solutions, the Nginx module is not a full tunneler. The main difference for writing OpenZiti configurations for the module is that it will honor the upstreams that are set in the Nginx configuration, ignoring the `host.v1` addresses set in the OpenZiti config. For more information, see the [OpenZiti Nginx Proxy Module](/guides/securing-apis/aks-api-with-nginx-ziti-module.md) guide.

#### [ziti-host Reverse Proxy Pod](./kubernetes-host.mdx)
#### [ziti-host as Reverse Proxy Pod](./kubernetes-host.mdx)

The `ziti-host` Helm chart deploys a headless service and can be used to provide ingress cluster services. The pod runs `ziti-edge-tunnel run-host` to bind OpenZiti Services and forwards requests arriving via OpenZiti to their configured host addresses inside the cluster. For more information, see the [ziti-host](./kubernetes-host.mdx) page.

0 comments on commit d27207c

Please sign in to comment.