Update tutorial for inlets-tcp-server chart

- Use updated service names - Add a section to show how to deploy multiple tunnel servers. Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
inlets · Nov 18, 2022 · 9a67c2e · 9a67c2e
1 parent c577abc
commit 9a67c2e
Showing 1 changed file with 126 additions and 20 deletions.
diff --git a/chart/inlets-tcp-server/README.md b/chart/inlets-tcp-server/README.md
@@ -32,9 +32,19 @@ $ helm repo add inlets-pro https://inlets.github.io/inlets-pro/charts/
 $ helm repo update
 ```
 
-* Install cert-manager - (`arkade install cert-manager`)
-* Install ingress-nginx - (`arkade install ingress-nginx`)
-* Install helm with `arkade get helm`
+#### Install nginx-ingress
+
+```bash
+$ arkade install nginx-ingress
+```
+
+#### Install cert-manager
+
+[cert-manager](https://cert-manager.io/), can obtain TLS certificates from LetsEncrypt through NginxIngress.
+
+```bash
+$ arkade install cert-manager
+```
 
 It is assumed that you installed `kubectl` when you created your Kubernetes cluster, otherwise run `arkade get kubectl`.
 
@@ -74,38 +84,42 @@ kubectl apply -f issuer-prod.yaml
 
 > Note: if you plan to run many tunnels, each with their own certificate, then you may wish to configure the cert-manager Issuer to use a DNS01 challenge. See also: [Configuring DNS01 Challenge Provider ](https://cert-manager.io/docs/configuration/acme/dns01/)
 
-### Generate a token for your inlets-pro server
+### Generate a token for your prometheus inlets-pro server
 
 ```bash
 # Generate a random password
 export TOKEN=$(head -c 16 /dev/random | shasum|cut -d" " -f1)
 
 # Save a copy for later
-echo $TOKEN > token.txt
+echo $TOKEN > prometheus-token.txt
 
 # Create a secret in the cluster for the tunnel server
-kubectl create secret generic inlets-pro-secret \
+kubectl create secret generic prometheus-tunnel-token \
   --from-literal token=$TOKEN
 ```
 
 ### Install the inlets-pro TCP server chart
 
-The chart will deploy two Kubernetes services, an Ingress record and a Deployment to run the inlets-pro server process.
-
-* `prometheus-tunnel-control-plane` - a service exposed by Ingress, for the websocket of inlets Pro (usually port 8123)
-* `prometheus-tunnel-data-plane` - a local service to access Prometheus from within the cluster (usually 9090)
-
 Edit `values.yaml`:
 
 Make any changes you need.
 
 ```bash
 export DOMAIN="prometheus.example.com"
+export TOKEN="prometheus-tunnel-token"
 
 helm upgrade --install prometheus-tunnel inlets-pro/inlets-tcp-server \
-  --set ingress.domain=$DOMAIN
+  --set ingress.domain=$DOMAIN \
+  --set tokenSecretName=$TOKEN
 ```
 
+> Note: replace the domain with a domain you own.
+
+The chart will deploy two Kubernetes services, an Ingress record and a Deployment to run the inlets-pro server process.
+
+* `prometheus-tunnel-control` - a service exposed by Ingress, for the websocket of inlets Pro (usually port 8123)
+* `prometheus-tunnel-data` - a local service to access Prometheus from within the cluster (usually 9090)
+
 ### Now connect your client on your computer.
 
 You can now connect Prometheus from wherever you have it running, whether that's in a container, on your system as a normal process, or within a Kubernetes cluster.
@@ -120,13 +134,19 @@ docker run --name prometheus \
 
 > Note: you can remove this container later with `docker rm -f prometheus`
 
+You will need the tunnel token to connect the inlets-pro client. If you saved a copy of the token you can used that. Otherwise it can be retrieved from the cluster:
+
+```bash
+kubectl get secret -n default prometheus-tunnel-token -o jsonpath="{.data.token}" | base64 --decode > prometheus-token.txt
+```
+
 Now connect your inlets-pro client:
 
 ```bash
 export DOMAIN="prometheus.example.com"
-export TOKEN=$(cat token.txt)
-inlets-pro client --url wss://$DOMAIN/connect \
-  --token $TOKEN \
+export TOKEN_FILE="./prometheus-token.txt"
+inlets-pro tcp client --url wss://$DOMAIN/connect \
+  --token-file $TOKEN_FILE \
   --license-file ~/LICENSE \
   --port 9090 \
   --auto-tls=false \
@@ -139,28 +159,114 @@ We use a value of `--upstream 127.0.0.1` since the Prometheus container was expo
 
 We haven't exposed the Prometheus service on the Internet for general consumption, so let's access it through its private ClusterIP which was deployed through the helm chart.
 
-Run an Alpine Linux container and install curl.
+Run a container with curl installed.
 
 ```bash
-kubectl run alpine -t -i --image alpine:3.12 /bin/sh
-apk add curl
+kubectl run -t -i curl --rm --image ghcr.io/openfaas/curl:latest /bin/sh 
 ```
 
 Now access the tunneled service via curl:
 
 ```bash
-curl prometheus-tunnel-inlets-pro-data-plane:9090
+curl prometheus-tunnel-data:9090
 ```
 
 You can also use `kubectl port-forward` to view the tunneled service:
 
 ```bash
 kubectl port-forward \
-  svc/prometheus-tunnel-inlets-pro-data-plane 9091:9090
+  svc/prometheus-tunnel-data 9091:9090 
 
 echo Open: http://127.0.0.1:9091
 ```
 
+### Install multiple tunnels
+To deploy multiple tunnel servers with the Helm chart some steps will need to be repeated for each tunnel:
+
+- Create a secret for the tunnel.
+- Create a `values.yaml` file with the helm parameter configuration.
+- Deploy the tunnel server using Helm.
+
+In this example we will setup a second tunnel for a PostgreSQL server running on a private network.
+
+Create a new secret for the PostgreSQL tunnel:
+
+```bash
+# Generate a random password
+export TOKEN=$(head -c 16 /dev/random | shasum|cut -d" " -f1)
+
+# Save a copy for later
+echo $TOKEN > postgres-token.txt
+
+# Create a secret in the cluster for the tunnel server
+kubectl create secret generic postgres-tunnel-token \
+  --from-literal token=$TOKEN
+```
+
+Create a values file `postgres-values.yaml` with the chart configuration parameters for the tunnel:
+
+```yaml
+export DOMAIN=postgres.example.com
+
+cat >> postgres-values.yaml <<EOF
+dataPlane:
+  type: ClusterIP
+  ports:
+  - targetPort: 5432
+    protocol: TCP
+    name: postgresql
+    port: 5432
+
+ingress:
+  domain: $DOMAIN
+
+tokenSecretName: postgres-tunnel-token
+EOF
+```
+
+Deploy the tunnel using the `postgres-values.yaml` file:
+
+```bash
+helm upgrade --install postgres-tunnel inlets-pro/inlets-tcp-server \
+  --values=postgres-values.yaml
+```
+
+Run a postgress container on you local system:
+
+```bash
+export PASSWORD="8cb3efe58df984d3ab89bcf4566b31b49b2b79b9"
+
+docker run --rm --name postgres \
+  -p 5432:5432 \
+  -e POSTGRES_PASSWORD=8cb3efe58df984d3ab89bcf4566b31b49b2b79b9 \
+  -ti postgres:latest
+```
+
+Connect the inlets-pro client:
+
+```bash
+export DOMAIN="postgres.example.com"
+export TOKEN=$(kubectl get secret -n default postgres-tunnel-token -o jsonpath="{.data.token}" | base64 --decode)
+
+inlets-pro tcp client --url wss://$DOMAIN/connect \
+  --token $TOKEN \
+  --license-file ~/LICENSE \
+  --port 5432 \
+  --auto-tls=false \
+  --upstream 127.0.0.1
+```
+
+Connect to postgress from within the cluster:
+
+```bash
+kubectl run -i -t psql \
+  --env PGPORT=5432 \
+  --env PGPASSWORD=${PASSWORD} --rm \
+  --image postgres:latest -- psql -U postgres -h postgres-tunnel-data
+```
+
+Try a command such as `CREATE database websites (url TEXT)`, `\dt` or `\l`.
+
 ## Other configuration
 
 See values.yaml for additional settings.