Expose the MSR Cache¶
To provide external access to your MSR cache you must expose the cache Pods.
Important
Expose your MSR cache through only one external interface.
To ensure TLS certificate validity, you must expose the cache through the same interface for which you previously created a certificate.
Kubernetes supports several methods for exposing a service, based on your infrastructure and your environment. Detail is offered below for the NodePort method and the Ingress Controllers method.
NodePort method¶
Add a worker node FQDN to the TLS certificate at the start and access the MSR cache through an exposed port on a worker node FQDN.
cat > dtrcacheservice.yaml <<EOF apiVersion: v1 kind: Service metadata: name: dtr-cache namespace: dtr spec: type: NodePort ports: - name: https port: 443 targetPort: 443 protocol: TCP selector: app: dtr-cache EOF kubectl create -f dtrcacheservice.yaml
Run the following command to determine the port on which you have exposed the MSR cache:
kubectl -n dtr get services
Test the external reachability of your MSR cache. To do this, use
curl
to hit the API endpoint, using both the external address of a worker node and the NodePort:curl -X GET https://<workernodefqdn>:<nodeport>/v2/_catalog {"repositories":[]}
Ingress Controllers method¶
In the ingress controller exposure scheme, you expose the MSR cache through an ingress object.
Create a DNS rule in your environment to resolve an MSR cache external FQDN address to the address of your ingress controller. In addition, specify at the start the same MSR cache external FQDN within the MSR cache certificate.
cat > dtrcacheingress.yaml <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: dtr-cache namespace: dtr annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/secure-backends: "true" spec: tls: - hosts: - <external-msr-cache-fqdn> # Replace this value with your external MSR Cache address rules: - host: <external-msr-cache-fqdn> # Replace this value with your external MSR Cache address http: paths: - pathType: Prefix path: "/cache" backend: service: name: dtr-cache port: number: 443 EOF kubectl create -f dtrcacheingress.yaml
Test the external reachability of your MSR cache. To do this, use
curl
to hit the API endpoint. The address should be the one you have previously defined in the service definition file.
curl -X GET https://external-msr-cache-fqdn/v2/_catalog
{"repositories":[]}
See also
The official Kubernetes documentation on Publishing services - service types.