Possible to expose Kubernetes pod deployment of Relay with HTTPS endpoint?

[cstavitsky]

Environment

SaaS (https://sentry.io/)

What are you trying to accomplish?

Asking on behalf of a customer.

Question and Context

The core question is: "Is it possible to expose a relay [Kubernetes] pod with an HTTPS endpoint ? I don’t see any configuration available for it in the doc."

Slack Messages With Customer

Customer (Thu Mar 28 2024)

How can I expose the relay pod with an HTTPS endpoint ? I don’t see any configuration available for it in the doc

Chris Stavitsky (Sentry.io)

‘Pod’ as in kubernetes pod, correct? I don’t have a ton of experience with kubernetes, but is it possible this is something that would be configured on the kubernetes deployment and not on the Relay side? If you feel confident it’s something that should be done on the Relay side, could you provide more context around the specific problem you’re encountering and what you’ve tried so far? That might help me dig into it more.
(maybe irrelevant since sounds like we’re talking about a deployment rather than local Relay, but may be worth mentioning anyway — I do know that HTTPS won’t work with a local Relay (docs: “Also note that a local relay will out of the box be available via HTTP only so don’t try to send HTTPS requests there”))

Customer
We do deploy the relay in kubernetes, and yes there are options to delegate the https termination to the cluster however we don’t have those components in place yet.
All our pods currently directly expose an HTTPS endpoint directly, most of the external tools that we use also support it. here is an example for the OpenTelemetry Collector: https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md#server-configuration

How are you getting stuck?

I am unsure whether this is something that Sentry supports, and I don't know enough about how Relay or similar services expose HTTPS endpoints to provide a definitive answer.

Where in the product are you?

Settings - Relay

Link

No response

DSN

No response

Version

No response

[getsantry]

Assigning to @getsentry/support for routing ⏲️

[getsantry]

Routing to @getsentry/product-owners-settings-relay for triage ⏲️

[jan-auer]

For HTTPS, we recommend to run a reverse proxy in front of Relay that handles TLS/SSL termination. More generally, a reverse proxy is recommended for improved uptime during updates and would be required for load balancing.

This is mentioned in our operating guidelines, though we will improve documentation to point this out more clearly.

For k8s specifically, there are no docs or templates on our page. Particularly for this use case, we do not have a recommendation for how to configure a proxy or which one to choose as this highly depends on the environment Relay is being integrated into.

[cstavitsky]

Thanks for the clarifications Jan. Putting the customer's reply for anyone who finds this in the future:

For the HTTPS I managed to setup an Nginx instance as reverse proxy in the k8s pod. this is unusual in our stack but it seems to work. We’ll evaluate this a bit more thoroughly and we’ll see if the workaround is valid.

[jan-auer]

Thank you for passing this on. We'll consider this resolved, but will still improve documentation around hosting Relay with HTTPS.

In case we closed this issue and the customer reports more feedback, please reopen this issue.