Use an Elastic IPs w/Secondary IP for Keycloak on a single EC2 instance

General MR

Summary

This introduces a new option -a, for provisioning a Secondary public IP to make it much easier to use both a Public and Passthrough Istio Gateway on a single EC2 without having to spin up two instances / use a MetalLB. When this feature is used, an IPv4 Public Address will not be auto-assigned, but instead two Elastic IPs will be attached.

I submitted a request to AWS to get the limit of 20 EIPs bumped to 100 EIPs (which was approved). This should be more than sufficient given that there are usually not more than 5-10 dev instances up at a time, and likely many people will not use/need this all the time.

Any unattached Elastic IPs will be cleaned up on the next run. I thought about doing this doing this as a shutdown script, however that would require an IAM Instance Profile, which is possible but not sure we want to do that.

Relevant logs/screenshots

N/A

assigned to @danny-radiusmethod

added 1 commit

• 350a5be0 - adding feature to deallocate all EIPs for a given user

Compare with previous version

marked the checklist item Resource kill, destroying all Elastic IPs as completed

changed the description

added 1 commit

• cae27a61 - fixing some bugs fod

Compare with previous version

added 1 commit

• 12c11183 - more fixes for k3d cmd

Compare with previous version

added 1 commit

• 7a4d6e3b - still use the auto assigned IP if not using secondary IP

Compare with previous version

changed the description

changed the description

added 1 commit

• 52283b2b - clean up unused elastic ips on each run

Compare with previous version

added 1 commit

• 1bc610ac - adding instructions for keycloak

Compare with previous version

marked the checklist item Update documentation to show how to use Keycloak with the -a flag (Secondary IP). as completed

added 1 commit

• 3e1fac36 - adding spacing back

Compare with previous version

added 16 commits

• 3e1fac36...d2637f34 - 4 commits from branch master
• d1db7f87 - script working for passthrough and public on the same ec2 instance
• b94285f2 - optionally create secondary ip
• aae7488e - fixing unix epoch calculation
• d30f0ba9 - fix help condition
• 8ac76627 - some echo tweaks
• 4723be32 - adding feature to deallocate all EIPs for a given user
• d2f3394d - fixing some bugs fod
• 93f4794e - more fixes for k3d cmd
• 04bad1c1 - still use the auto assigned IP if not using secondary IP
• 7dd877c4 - clean up unused elastic ips on each run
• 69871f0e - adding instructions for keycloak
• ae3bbfb8 - adding spacing back

Compare with previous version

added 1 commit

• 6121707a - adding another space

Compare with previous version

changed title from WIP: Use an Elastic IP for k3d-dev.sh with the option to add a Secondary IP to Use an Elastic IP for k3d-dev.sh with the option to add a Secondary IP

added statusreview label

requested review from @echuang, @kevin.wilder, @LynnStill, @micah.nagel, @ryan.j.garcia, @ronwebb, @ryan.thompson.44, and @rob.ferguson

changed title from Use an Elastic IP for k3d-dev.sh with the option to add a Secondary IP to Use an Elastic IPs w/Secondary IP for Keycloak on a single EC2 instance

changed the description

@danny-radiusmethod have you been able to configure and test this on an instance already? I thought k3d without metalLB only allocates/assigns 1 IP address.

added kinddocs label

Just wanting to add some clarifications, this new step is just a different way than metalLB which also provides a Public and Passthrough Istio Gateway to work simultaneously using 1 cluster.

Also think we should rename the yaml file because of this as well but not exactly sure to what.

added 1 commit

• 3ef32285 - update documentation

Compare with previous version

added 1 commit

• 442645e4 - update documentation for clarity

Compare with previous version

added 1 commit

• 3fd3000b - Renaming new multi-ip dev deployment strategy

Compare with previous version

resolved all threads

approved this merge request

I need time to understand and test this.

mentioned in merge request !2646 (merged)

added 21 commits

• 3fd3000b...e7a20588 - 8 commits from branch master
• 3f8ab867 - script working for passthrough and public on the same ec2 instance
• bb9e82cb - optionally create secondary ip
• 9681759e - fixing unix epoch calculation
• 100be4bd - fix help condition
• 396c2bc6 - some echo tweaks
• 55c0d504 - adding feature to deallocate all EIPs for a given user
• df13faea - fixing some bugs fod
• 8ba966cf - more fixes for k3d cmd
• c1017446 - still use the auto assigned IP if not using secondary IP
• b7016bce - clean up unused elastic ips on each run
• 44636173 - adding instructions for keycloak
• 8303c248 - adding spacing back
• 82c0a06e - adding another space

Compare with previous version

Will need to rebase this after !2646 (merged) is merged in.

added 9 commits

• 82c0a06e...87c85d2a - 8 commits from branch master
• 887699fc - script working for passthrough and public on the same ec2 instance

Compare with previous version

added 1 commit

• aa93e8e4 - a few fixes to integrate better with k3d recreation

Compare with previous version

added 1 commit

• d572d384 - fixing some typos

Compare with previous version

added 13 commits

• d572d384...a8a7aa6f - 10 commits from branch master
• 3ce0422a - script working for passthrough and public on the same ec2 instance
• 2a5b8551 - a few fixes to integrate better with k3d recreation
• 6703a8f9 - fixing some typos

Compare with previous version

added 5 commits

• 6703a8f9...d2331d14 - 2 commits from branch master
• 3e848084 - script working for passthrough and public on the same ec2 instance
• 31e3191b - a few fixes to integrate better with k3d recreation
• 0ea15ccf - fixing some typos

Compare with previous version

added 1 commit

• e07a8c52 - Renaming multi pulbic IP dev values file

Compare with previous version

I must've blew away that rename on rebase.

approved this merge request

added 6 commits

• e07a8c52...6f6178ab - 2 commits from branch master
• 07a124e9 - script working for passthrough and public on the same ec2 instance
• 70d8b00b - a few fixes to integrate better with k3d recreation
• b05c429b - fixing some typos
• 8f290593 - Renaming multi pulbic IP dev values file

Compare with previous version

added 13 commits

• 8f290593...35416fc9 - 9 commits from branch master
• 0cf61515 - script working for passthrough and public on the same ec2 instance
• ce3d62a5 - a few fixes to integrate better with k3d recreation
• 837581f1 - fixing some typos
• 7708246f - Renaming multi pulbic IP dev values file

Compare with previous version

I have been testing. None of the existing functionality is broken as far as I can tell. But so far I have not been successful testing end-to-end SSO using -a with EIPs. Gitlab SSO is a special case where the webservice pod needs to reach keycloak.bigbang.dev before it will allow auth with SSO. The script currently handles modifying the coredns configmap in the case of MetalLB at line 606

if [[ "$METAL_LB" == true ]]; then
  run <<- 'ENDSSH'
  # run this command on remote
  # fix /etc/hosts for new cluster
  sudo sed -i '/bigbang.dev/d' /etc/hosts
  sudo bash -c "echo '## begin bigbang.dev section' >> /etc/hosts"
  sudo bash -c "echo 172.20.1.240  keycloak.bigbang.dev vault.bigbang.dev >> /etc/hosts"
  sudo bash -c "echo 172.20.1.241 anchore-api.bigbang.dev anchore.bigbang.dev argocd.bigbang.dev gitlab.bigbang.dev registry.bigbang.dev tracing.bigbang.dev kiali.bigbang.dev kibana.bigbang.dev chat.bigbang.dev minio.bigbang.dev minio-api.bigbang.dev alertmanager.bigbang.dev grafana.bigbang.dev prometheus.bigbang.dev nexus.bigbang.dev sonarqube.bigbang.dev tempo.bigbang.dev twistlock.bigbang.dev >> /etc/hosts"
  sudo bash -c "echo '## end bigbang.dev section' >> /etc/hosts"
  # run kubectl to add keycloak and vault's hostname/IP to the configmap for coredns, restart coredns
  kubectl get configmap -n kube-system coredns -o yaml | sed '/^    172.20.0.1 host.k3d.internal$/a\ \ \ \ 172.20.1.240 keycloak.bigbang.dev vault.bigbang.dev' | kubectl apply -f -
  kubectl delete pod -n kube-system -l k8s-app=kube-dns
	ENDSSH
fi

But even if I handle that manually the Gitlab SSO still does not work. The Gitlab webservice pod still can't reach Keycloak

[git@gitlab-webservice-default-5d8888fbc6-vdtrl /]$ curl -v https://keycloak.bigbang.dev
* Rebuilt URL to: https://keycloak.bigbang.dev/
*   Trying 3.32.69.232...
* TCP_NODELAY set
* Connected to keycloak.bigbang.dev (3.32.69.232) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to keycloak.bigbang.dev:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to keycloak.bigbang.dev:443 

Have not yet been able to figure out why. Maybe Ryan has an idea.

added statusdoing label and removed statusreview label

added 20 commits

• 7708246f...a61bf67a - 16 commits from branch master
• 96c713cc - script working for passthrough and public on the same ec2 instance
• ac3531a6 - a few fixes to integrate better with k3d recreation
• 5744b553 - fixing some typos
• 68d3e7fd - Renaming multi pulbic IP dev values file

Compare with previous version

added 8 commits

• 68d3e7fd...413f3810 - 4 commits from branch master
• 86f7e146 - script working for passthrough and public on the same ec2 instance
• 3c37efdb - a few fixes to integrate better with k3d recreation
• 4ffbc959 - fixing some typos
• 2c7bd2c1 - Renaming multi pulbic IP dev values file

Compare with previous version

added 6 commits

• 2c7bd2c1...5ad62043 - 2 commits from branch master
• c9774e88 - script working for passthrough and public on the same ec2 instance
• 19b8dad1 - a few fixes to integrate better with k3d recreation
• 5864f92d - fixing some typos
• dce7d066 - Renaming multi pulbic IP dev values file

Compare with previous version

added 11 commits

• dce7d066...2d69e6f2 - 7 commits from branch master
• 58fc1a03 - script working for passthrough and public on the same ec2 instance
• 3fd5e62a - a few fixes to integrate better with k3d recreation
• c5275442 - fixing some typos
• f59d16e5 - Renaming multi pulbic IP dev values file

Compare with previous version

added 1 commit

• 045c0836 - Fix: DNS related issues with -a flag.

Compare with previous version

added 19 commits

• 045c0836...e4f15733 - 14 commits from branch master
• cc138134 - script working for passthrough and public on the same ec2 instance
• 3a9c78c2 - a few fixes to integrate better with k3d recreation
• 1e75549d - fixing some typos
• 4e5fc67a - Renaming multi pulbic IP dev values file
• ecba168e - Fix: DNS related issues with -a flag.

Compare with previous version

added statusreview label and removed statusdoing label

As an aside, in a separate test, I was able to get the two NIC approach working without using KlipperLB and instead with MetalLB. It doesn't require the use of sshuttle or any other SOCKS proxy.

Documenting here as well as our mattermost chat, I found if you specify -a -m for the script the -a disables metalLB installation, but then -m follows which re-enables it. Will need to make sure that logic captures both scenarios

added 17 commits

• ecba168e...d826139a - 12 commits from branch master
• e1f00364 - script working for passthrough and public on the same ec2 instance
• fc2fc976 - a few fixes to integrate better with k3d recreation
• b9f12679 - fixing some typos
• 2fa42458 - Renaming multi pulbic IP dev values file
• b080cd72 - Fix: DNS related issues with -a flag.

Compare with previous version

added 1 commit

• e021f7b0 - fix an issue where -m and/or -p could specified with -a

Compare with previous version

added 1 commit

• 1acccbc5 - changes to use MetalLB with -a and no longer require special service port mapping

Compare with previous version

added 9 commits

• 1acccbc5...d559e534 - 2 commits from branch master
• 9e699aeb - script working for passthrough and public on the same ec2 instance
• e24a7cc0 - a few fixes to integrate better with k3d recreation
• 8c059210 - fixing some typos
• 858dc749 - Renaming multi pulbic IP dev values file
• ab2f1efb - Fix: DNS related issues with -a flag.
• ef0b8874 - fix an issue where -m and/or -p could specified with -a
• 6f55379c - changes to use MetalLB with -a and no longer require special service port mapping

Compare with previous version

added 1 commit

• a0c7f781 - fixing an issue where the secondary IP was incorrectly being returned for -m...

Compare with previous version

added 16 commits

• a0c7f781...2b474340 - 8 commits from branch master
• 800f2247 - script working for passthrough and public on the same ec2 instance
• 97cd1cea - a few fixes to integrate better with k3d recreation
• 7ecaa3f7 - fixing some typos
• bdee55fe - Renaming multi pulbic IP dev values file
• 1b42f634 - Fix: DNS related issues with -a flag.
• 3fa9adaf - fix an issue where -m and/or -p could specified with -a
• 7a6e5631 - changes to use MetalLB with -a and no longer require special service port mapping
• 7b6ec7f1 - fixing an issue where the secondary IP was incorrectly being returned for -m...

Compare with previous version

When I use -a option MetalLB is installing. Is that supposed to happen?

added 10 commits

• 9e699aeb - script working for passthrough and public on the same ec2 instance
• e24a7cc0 - a few fixes to integrate better with k3d recreation
• 8c059210 - fixing some typos
• 858dc749 - Renaming multi pulbic IP dev values file
• ab2f1efb - Fix: DNS related issues with -a flag.
• ef0b8874 - fix an issue where -m and/or -p could specified with -a
• 6f55379c - changes to use MetalLB with -a and no longer require special service port mapping
• a0c7f781 - fixing an issue where the secondary IP was incorrectly being returned for -m...
• 844da572 - Merge branch 'k3d-elastic-ips-and-secondary' of...
• a1881d40 - Schema doesn't like comments, don't really require them either

Compare with previous version

With -a EIPs is there any way to control who can access the applications? For context, the other options use security group inbound filter that only allows your workstation IP. With -a I can delete the security group rule for my instance and I can still access the applications. This is something to be aware of. Maybe not a big deal for dev? Thoughts?

added 14 commits

• a1881d40...f7801597 - 6 commits from branch master
• c8b624d5 - script working for passthrough and public on the same ec2 instance
• 25851c3f - a few fixes to integrate better with k3d recreation
• db5878de - fixing some typos
• 37b4ff18 - Renaming multi pulbic IP dev values file
• de677748 - Fix: DNS related issues with -a flag.
• 59d2df85 - fix an issue where -m and/or -p could specified with -a
• 62380278 - changes to use MetalLB with -a and no longer require special service port mapping
• 81e3c11a - fixing an issue where the secondary IP was incorrectly being returned for -m...

Compare with previous version

removed review request for @LynnStill

requested review from @LynnStill

added 10 commits

• 81e3c11a...3d1dcfb9 - 2 commits from branch master
• ffa5a7d5 - script working for passthrough and public on the same ec2 instance
• b60e2d7a - a few fixes to integrate better with k3d recreation
• 6f93a643 - fixing some typos
• 772d0486 - Renaming multi pulbic IP dev values file
• d01b2368 - Fix: DNS related issues with -a flag.
• 147dc8c3 - fix an issue where -m and/or -p could specified with -a
• 282c89b7 - changes to use MetalLB with -a and no longer require special service port mapping
• a68c7a46 - fixing an issue where the secondary IP was incorrectly being returned for -m...

Compare with previous version

resolved all threads

approved this merge request

merged

mentioned in commit de5102f4