Expose the MSR Cache

To provide external access to your MSR cache you must expose the cache Pods.

Important

  • Expose your MSR cache through only one external interface.

  • To ensure TLS certificate validity, you must expose the cache through the same interface for which you previously created a certificate.

Kubernetes supports several methods for exposing a service, based on your infrastructure and your environment. Detail is offered below for the NodePort method and the Ingress Controllers method.

NodePort method

  1. Add a worker node FQDN to the TLS certificate at the start and access the MSR cache through an exposed port on a worker node FQDN.

    cat > dtrcacheservice.yaml <<EOF
    apiVersion: v1
    kind: Service
    metadata:
      name: dtr-cache
      namespace: dtr
    spec:
      type: NodePort
      ports:
      - name: https
        port: 443
        targetPort: 443
        protocol: TCP
      selector:
        app: dtr-cache
    EOF
    
    kubectl create -f dtrcacheservice.yaml
    
  2. Run the following command to determine the port on which you have exposed the MSR cache:

    kubectl -n dtr get services
    
  3. Test the external reachability of your MSR cache. To do this, use curl to hit the API endpoint, using both the external address of a worker node and the NodePort:

    curl -X GET https://<workernodefqdn>:<nodeport>/v2/_catalog
    {"repositories":[]}
    

Ingress Controllers method

In the ingress controller exposure scheme, you expose the MSR cache through an ingress object.

  1. Create a DNS rule in your environment to resolve an MSR cache external FQDN address to the address of your ingress controller. In addition, specify at the start the same MSR cache external FQDN within the MSR cache certificate.

    cat > dtrcacheingress.yaml <<EOF
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: dtr-cache
      namespace: dtr
      annotations:
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
        nginx.ingress.kubernetes.io/secure-backends: "true"
    spec:
      tls:
      - hosts:
        - <external-msr-cache-fqdn> # Replace this value with your external MSR Cache address
      rules:
      - host: <external-msr-cache-fqdn> # Replace this value with your external MSR Cache address
        http:
          paths:
          - pathType: Prefix
            path: "/cache"
            backend:
              service:
                name: dtr-cache
                port:
                  number: 443
    EOF
    
    kubectl create -f dtrcacheingress.yaml
    
  2. Test the external reachability of your MSR cache. To do this, use curl to hit the API endpoint. The address should be the one you have previously defined in the service definition file.

curl -X GET https://external-msr-cache-fqdn/v2/_catalog
{"repositories":[]}

See also