Adding Containers to Helm Service

Brad_Sollar · May 2, 2023, 9:11pm

The developer guide does not work in OpenShift because the Helm charts have insecure security policies and will not launch the hello-toy instance. To get around this I would like to launch another container app to use the ziti-host proxy but I’m having issues mapping the additional containers to the ziti-host service.

I have OpenShift 4.12 setup with a Helm openziti/ziti-host chart installed. I can not figure out how to have other containers use the ziti-host service.

I am using the following install guide;

apiVersion: v1
metadata:
  name: sof-01-service
  namespace: metalcoms
  uid: db29a881-acf9-456c-b8b4-b3e4e13fbc77
  resourceVersion: '2727235'
  creationTimestamp: '2023-05-02T00:16:05Z'
  labels:
    app.kubernetes.io/instance: hello-netfoundry
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: hello-toy
    app.kubernetes.io/version: latest
    helm.sh/chart: hello-toy-2.0.1
  annotations:
    meta.helm.sh/release-name: hello-netfoundry
    meta.helm.sh/release-namespace: metalcoms
  managedFields:
    - manager: helm
      operation: Update
      apiVersion: v1
      time: '2023-05-02T00:16:05Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:meta.helm.sh/release-name': {}
            'f:meta.helm.sh/release-namespace': {}
          'f:labels':
            .: {}
            'f:app.kubernetes.io/instance': {}
            'f:app.kubernetes.io/managed-by': {}
            'f:app.kubernetes.io/name': {}
            'f:app.kubernetes.io/version': {}
            'f:helm.sh/chart': {}
        'f:spec':
          'f:internalTrafficPolicy': {}
          'f:ports':
            .: {}
            'k:{"port":80,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector': {}
          'f:sessionAffinity': {}
          'f:type': {}
spec:
  clusterIP: 172.30.75.106
  ipFamilies:
    - IPv4
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: http
  internalTrafficPolicy: Cluster
  clusterIPs:
    - 172.30.75.106
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector:
    app.kubernetes.io/instance: hello-netfoundry
    app.kubernetes.io/name: hello-toy
status:
  loadBalancer: {}

Mark.Sioson · May 2, 2023, 9:30pm

Hi Brad,

Welcome to NetFoundry Community Support. Our Ad/Dev team will look into this and we’ll get back to you.

Thanks,

DariuszSki · May 3, 2023, 1:24am

The ziti host chart installs ziti edge tunnel in host mode. You just need to configure a service with a destination name or ip address of the app you are trying to reach on the ziti controller.

DariuszSki · May 3, 2023, 1:29am

Once the service is configured as described in the guide and other steps are completed, you should be able to reach your app inside the cluster from your ziti client.

DariuszSki · May 3, 2023, 11:29am

If you have time today and want to discuss this over zoom , please let me know. I will send the invite.

Brad_Sollar · May 3, 2023, 12:08pm

Great, I’m available 9:30-10:00 and 12:30-3:00 EST today. Let me know if any or those times work

DariuszSki · May 3, 2023, 12:42pm

1:30 PM would work. If you message me your email, I will forward the invite.

Brad_Sollar · May 3, 2023, 1:14pm

brad@mainsailindustries.com

Brad_Sollar · May 3, 2023, 9:41pm

I was able to get it to work. On the client side you have to use FQDN naming. I was using sof-01-service, the correct naming should have a “.” i.e. sof.service.

Also directly using the cluster IP of the container and port on the Kube side.

DariuszSki · May 3, 2023, 11:11pm

Glad it is working for you. Yes, you need at least one dot.

kbingham · May 4, 2023, 1:20am

@Brad_Sollar Was the security policy issue preventing you from running the toy chart only? Would you be able to say what the issue was with that? I’m not up to speed yet on how OpenShift/MicroShift are handling the deprecation of pod security policies in Kubernetes upstream.

Brad_Sollar · May 4, 2023, 11:47am

I’ll check again and get the exact error, but most of the time it when containers are run as root when you see those types of permissions issues. Best practice is to install software you need as root then change the user at the end to something like 1001

kbingham · May 4, 2023, 3:47pm

@Brad_Sollar I released a new version of that Helm chart “hello-toy” that uses an unprivileged webserver instead of running as root.

If you do a helm repo update openziti and set your chart version like >=2.1.0 then you’ll get this release in the next helm upgrade.

Brad_Sollar · May 4, 2023, 4:14pm

That got it to work in OpenShift 4.12. Thanks!

Topic		Replies	Views
Portainer install and config of openziti edge tunneler image How things work	20	502	May 22, 2023
How to correctly configure a k3s cluster to be accessible only via a NIC/bind-address reachable through NetFoundry (Ziti Edge Tunnel)? How things work	6	283	June 25, 2024
Host with ziti becomes unreachable though netfoundry	5	576	July 11, 2023
Demoing Ziti Sidecar! How things work	0	376	November 30, 2022
A few technical questions with answers	2	491	March 22, 2022

Adding Containers to Helm Service

Related Topics