dgraph-io · danielmai · Dec 23, 2021 · Jul 8, 2021 · Jul 8, 2021 · Jul 9, 2021
@@ -122,10 +122,14 @@ The following table lists the configurable parameters of the `dgraph` chart and
 | `alpha.service.loadBalancerIP`           | specify static IP address for LoadBalancer type                       | `""`                                                |
 | `alpha.service.externalTrafficPolicy`    | route external traffic to node-local or cluster-wide endpoints        | `""`                                                |
 | `alpha.service.loadBalancerSourceRanges` | restrict CIDR IP addresses for a LoadBalancer type                    | `[]`                                                |
-| `alpha.ingress.enabled`                  | Alpha Ingress resource enabled                                        | `false`                                             |
-| `alpha.ingress.hostname`                 | Alpha Ingress virtual hostname                                        | `nil`                                               |
-| `alpha.ingress.annotations`              | Alpha Ingress annotations                                             | `nil`                                               |
-| `alpha.ingress.tls`                      | Alpha Ingress TLS settings                                            | `nil`                                               |
+| `alpha.ingress.enabled`                  | Alpha ingress resource enabled                                        | `false`                                             |
+| `alpha.ingress.hostname`                 | Alpha ingress virtual hostname                                        | `nil`                                               |
+| `alpha.ingress.annotations`              | Alpha ingress annotations                                             | `nil`                                               |
+| `alpha.ingress.tls`                      | Alpha ingress TLS settings                                            | `nil`                                               |
+| `alpha.ingress_grpc.enabled`             | Alpha ingress-grpc resource enabled                                   | `false`                                             |
+| `alpha.ingress_grpc.hostname`            | Alpha ingress-grpc virtual hostname                                   | `nil`                                               |
+| `alpha.ingress_grpc.annotations`         | Alpha ingress-gcpc annotations                                        | `nil`                                               |
+| `alpha.ingress_grpc.tls`                 | Alpha ingress-grpc TLS settings                                       | `nil`                                               |
 | `alpha.securityContext.enabled`          | Security context for Alpha nodes enabled                              | `false`                                             |
 | `alpha.securityContext.fsGroup`          | Group id of the Alpha container                                       | `1001`                                              |
 | `alpha.securityContext.runAsUser`        | User ID for the Alpha container                                       | `1001`                                              |
@@ -218,14 +222,25 @@ The following table lists the configurable parameters of the `dgraph` chart and
 | `global.ingress.tls`                     | global ingress tls settings                                           | `{}`                                                |
 | `global.ingress.ratel_hostname`          | global ingress virtual host name for Ratel service                    | `""`                                                |
 | `global.ingress.alpha_hostname`          | global ingress virtual host name for Alpha service                    | `""`                                                |
+| `global.ingress_grpc.enabled`             | Enable global ingress-grpc resource (overrides Alpha ingress-grpc)   | `false`                                             |
+| `global.ingress_grpc.annotations`         | global ingress-grpc annotations                                      | `{}`                                                |
+| `global.ingress_grpc.tls`                 | global ingress-grpc tls settings                                     | `{}`                                                |
+| `global.ingress_grpc.alpha_grpc_hostname` | global ingress-grpc virtual host name for Alpha GRPC service         | `""`                                                |
+## Ingress resource
 
+You can define ingress resources through `alpha.ingress` for the Alpha HTTP(S) service and `ratel.ingress` for the ratel UI service, or you can use a combined single ingress with `global.ingress` for both Alpha HTTP(S) and ratel UI services.
 
-## Ingress resource
+There are some example chart values for ingress resource configuration in [example_values/ingress](https://github.com/dgraph-io/charts/tree/master/charts/dgraph/example_values/ingress).
+### Ingress resource with GRPC
 
-You can define ingress resources through `alpha.ingress` for the Alpha HTTP service and `ratel.ingress` for the ratel UI service, or you can use a combined single ingress with `global.ingress` for both Alpha HTTP and ratel UI services.
+The Dgraph Alpha GRPC can be exposed though an ingress configured with either `alpha.ingress_grpc` or `global.ingress_grpc` values.  For this solution to work, a few requirements must be met:
 
-There are some example chart values for ingress resource configuration in [example_values](https://github.com/dgraph-io/charts/tree/master/charts/dgraph/example_values).
+* if an external load balancer is used by the ingress controller, the load balancer should be Layer 4 TCP as the ingress-controller will handle both HTTPS and GRPC traffic.
+* The ingress resource must instruct the ingress controller to use GRPC, such as `nginx.ingress.kubernetes.io/backend-protocol: GRPC` with [ingress-nginx](https://kubernetes.github.io/ingress-nginx/).
+* The ingress controller can support both HTTPS and GRPC traffic, but must do TLS terminationation, so a secret with the appropriate certificates must be configured; this can be automated with the [cert-manager](https://cert-manager.io/) addon.
+* As the Dgraph Alpha service will be accessed through a FQDN name, it is recommended that DNS record updates are automated; this can be automated with the [external-dns](https://github.com/kubernetes-sigs/external-dns/) addon.
 
+There is an example chart values for ingress resource configuration in [example_values/ingress](https://github.com/dgraph-io/charts/tree/master/charts/dgraph/example_values/ingress).
 ## Zero and Alpha configuration
 
 Should you need additional configuration options you can add these either through environment variables or a configuration file, e.g. `config.yaml`. Instructions about this configuration can be found in `values.yaml`.

@@ -0,0 +1,43 @@
+# ingress-nginx with GRPC support
+# --------------------------------------
+# TLS will be terminated by the ingress controller.  The ingress controller
+# should be configured an Layer 4 external load balancer.
+# Two ingress resources will configured for GRPC support: GPRC and HTTPS.
+# References:
+# * https://github.com/kubernetes-sigs/external-dns/
+# * https://cert-manager.io/
+# * https://kubernetes.github.io/ingress-nginx/
+# * https://kubernetes.github.io/ingress-nginx/examples/grpc/
+# * https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/grpc
+global:
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: HTTP
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls:
+    # All hostnames must be listed for grpc + https ingress shared cert secret
+    - hosts:
+      - ratel.example.com
+      - alpha.example.com
+      - grpc.example.com
+      secretName: example-tls
+    ratel_hostname: ratel.example.com
+    alpha_hostname: alpha.example.com
+  ingress_grpc:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: GRPC
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls:
+    # All hostnames must be listed for grpc + https ingress shared cert secret
+    - hosts:
+      - ratel.example.com
+      - alpha.example.com
+      - grpc.example.com
+      secretName: example-tls
+    alpha_grpc_hostname: grpc.example.com
@@ -1,4 +1,9 @@
 # ingress-nginx with certificate manager
+# --------------------------------------
+# TLS will be terminated by the ingress controller.  The ingress controller
+# should be configured an Layer 4 external load balancer.
+# References:
+# * https://github.com/kubernetes-sigs/external-dns/
 # * https://cert-manager.io/
 # * https://kubernetes.github.io/ingress-nginx/
 global:

@@ -1,5 +1,5 @@
 {{- if and (eq .Values.alpha.ingress.enabled true) (eq .Values.global.ingress.enabled false) -}}
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ template "dgraph.alpha.fullname" . }}-ingress
@@ -28,16 +28,66 @@ spec:
     - host: {{ .Values.alpha.ingress.hostname }}
       http:
         paths:
-          {{- if index $.Values.alpha.ingress "annotations" }}
-          {{- if eq (index $.Values.alpha.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
-          - path: /*
-          {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
-          - path: /
-          {{- end }}
-          {{- else}}{{/* Has no annotations */}}
-          - path: /
-          {{- end }}
-            backend:
-              serviceName: {{ template "dgraph.alpha.fullname" . }}
-              servicePort: 8080
+          - backend:
+              service:
+                name:  {{ template "dgraph.alpha.fullname" . }}
+                port:
+                  number: 8080
+            pathType: ImplementationSpecific
+            {{- if index $.Values.alpha.ingress "annotations" }}
+            {{- if eq (index $.Values.alpha.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
+{{- end }}
+{{- if and (eq .Values.alpha.ingress_grpc.enabled true) (eq .Values.global.ingress_grpc.enabled false) -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "dgraph.alpha.fullname" . }}-ingress-grpc
+  labels:
+    app: {{ template "dgraph.name" . }}
+    chart: {{ template "dgraph.chart" . }}
+    component: {{ .Values.alpha.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  {{- with .Values.alpha.ingress_grpc.annotations }}
+  annotations:
+    {{- toYaml . | trimSuffix "\n" | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.alpha.ingress_grpc.tls }}
+  tls:
+  {{- range .Values.alpha.ingress_grpc.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.alpha.ingress_grpc.hostname }}
+      http:
+        paths:
+          - backend:
+              service:
+                name:  {{ template "dgraph.alpha.fullname" . }}
+                port:
+                  number: 9080
+            pathType: ImplementationSpecific
+            {{- if index $.Values.alpha.ingress_grpc "annotations" }}
+            {{- if eq (index $.Values.alpha.ingress_grpc.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
 {{- end }}
@@ -1,5 +1,5 @@
 {{- if (eq .Values.global.ingress.enabled true) -}}
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ template "dgraph.fullname" . }}-ingress
@@ -28,33 +28,86 @@ spec:
     - host: {{ .Values.global.ingress.alpha_hostname }}
       http:
         paths:
-          {{- if index $.Values.global.ingress "annotations" }}
-          {{- if eq (index $.Values.global.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
-          - path: /*
-          {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
-          - path: /
-          {{- end }}
-          {{- else}}{{/* Has no annotations */}}
-          - path: /
-          {{- end }}
-            backend:
-              serviceName: {{ template "dgraph.alpha.fullname" . }}
-              servicePort: 8080
+          - backend:
+              service:
+                name:  {{ template "dgraph.alpha.fullname" . }}
+                port:
+                  number: 8080
+            pathType: ImplementationSpecific
+            {{- if index $.Values.global.ingress "annotations" }}
+            {{- if eq (index $.Values.global.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
     {{- if .Values.ratel.enabled }}
     - host: {{ .Values.global.ingress.ratel_hostname }}
       http:
         paths:
-          {{- if index $.Values.global.ingress "annotations" }}
-          {{- if eq (index $.Values.global.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
-          - path: /*
-          {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
-          - path: /
-          {{- end }}
-          {{- else}}{{/* Has no annotations */}}
-          - path: /
-          {{- end }}
-            backend:
-              serviceName: {{ template "dgraph.ratel.fullname" . }}
-              servicePort: 80
+          - backend:
+              service:
+                name:  {{ template "dgraph.ratel.fullname" . }}
+                port:
+                  number: 80
+            pathType: ImplementationSpecific
+            {{- if index $.Values.global.ingress "annotations" }}
+            {{- if eq (index $.Values.global.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
     {{- end }}
 {{- end }}
+---
+{{- if (eq .Values.global.ingress_grpc.enabled true) -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "dgraph.fullname" . }}-ingress-grpc
+  labels:
+    app: {{ template "dgraph.name" . }}
+    chart: {{ template "dgraph.chart" . }}
+    component: {{ .Values.alpha.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+  {{- with .Values.global.ingress_grpc.annotations }}
+  annotations:
+    {{- toYaml . | trimSuffix "\n" | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.global.ingress_grpc.tls }}
+  tls:
+  {{- range .Values.global.ingress_grpc.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.global.ingress_grpc.alpha_grpc_hostname }}
+      http:
+        paths:
+          - backend:
+              service:
+                name:  {{ template "dgraph.alpha.fullname" . }}
+                port:
+                  number: 9080
+            pathType: ImplementationSpecific
+            {{- if index $.Values.global.ingress_grpc.annotations "annotations" }}
+            {{- if eq (index $.Values.global.ingress_grpc.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
+{{- end }}
@@ -1,6 +1,5 @@
 {{- if and (eq .Values.ratel.ingress.enabled true) (eq .Values.global.ingress.enabled false) (eq .Values.ratel.enabled true) -}}
-
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ template "dgraph.ratel.fullname" . }}-ingress
@@ -29,16 +28,19 @@ spec:
     - host: {{ .Values.ratel.ingress.hostname }}
       http:
         paths:
-          {{- if index $.Values.ratel.ingress "annotations" }}
-          {{- if eq (index $.Values.ratel.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
-          - path: /*
-          {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
-          - path: /
-          {{- end }}
-          {{- else}}{{/* Has no annotations */}}
-          - path: /
-          {{- end }}
-            backend:
-              serviceName: {{ template "dgraph.ratel.fullname" . }}
-              servicePort: 80
+          - backend:
+              service:
+                name:  {{ template "dgraph.ratel.fullname" . }}
+                port:
+                 number: 80
+            pathType: ImplementationSpecific
+            {{- if index $.Values.ratel.ingress "annotations" }}
+            {{- if eq (index $.Values.ratel.ingress.annotations "kubernetes.io/ingress.class" | default "") "gce" "alb" "nsx" }}
+            path: /*
+            {{- else }}{{/* Has annotations but ingress class is not "gce" nor "alb" */}}
+            path: /
+            {{- end }}
+            {{- else}}{{/* Has no annotations */}}
+            path: /
+            {{- end }}
 {{- end }}
@@ -293,6 +293,14 @@ alpha:
     # annotations: {}
     # tls: {}
 
+  ## alpha GRPC ingress resource configuration
+  ## This requires an ingress controller to be installed into your k8s cluster
+  ingress_grpc:
+    enabled: false
+    # hostname: ""
+    # annotations: {}
+    # tls: {}    
+
   ## dgraph Pod Security Context
   securityContext:
     enabled: false
@@ -619,3 +627,8 @@ global:
     tls: {}
     ratel_hostname: ""
     alpha_hostname: ""
+  ingress_grpc:
+    enabled: false
+    annotations: {}
+    tls: {}
+    alpha_grpc_hostname: ""