Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reorganize networking docs #1225

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 0 additions & 59 deletions 1.10/networking/load-balancing-vips/virtual-networks.md

This file was deleted.

4 changes: 4 additions & 0 deletions 1.10/networking/load-balancing/east-west/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
post_title: East-West Load Balancer
menu_order: 10
---
4 changes: 4 additions & 0 deletions 1.10/networking/load-balancing/east-west/minuteman/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
post_title: Minuteman
menu_order: 00
---
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
post_title: Load Balancing and Virtual IPs (VIPs)
post_title: Load Balancing
menu_order: 00
---

Expand Down Expand Up @@ -46,4 +46,4 @@ Port 61420 must be open for the load balancer to work correctly. Because the loa
## Next steps

- [Assign a VIP to your application](/docs/1.10/networking/load-balancing-vips/virtual-ip-addresses/)
- [Learn about the implementation details](https://github.com/dcos/minuteman)
- [Learn about the implementation details](https://github.com/dcos/minuteman)
62 changes: 62 additions & 0 deletions 1.10/networking/load-balancing/north-south/edge-lb/architecture.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
post_title: Edge-LB Architecture
menu_order: 8
post_excerpt: ""
feature_maturity: ""
enterprise: 'yes'
---

Edge-LB has a 3-part architecture (API Server, Pool, and Load Balancer) that
is run entirely on top of DC/OS.

# Glossary

## <a name="edge-lb"></a>Edge-LB

The entire component (API Server, Pool, and Load Balancer).

## <a name="edge-lb-api-server"></a>Edge-LB API Server

The service that responds to CLI commands and manages Pools.

## <a name="edge-lb-pool"></a>Edge-LB Pool

The unit of Load Balancer configuration within Edge-LB. The Load Balancers within the same Pool are identical.

The Pool is concerned with properties such as the number of instances of the Load Balancers and their placement.

The number of instances of Load Balancers *cannot be scaled down* (This is
a limitation that we plan to address).

## <a name="edge-lb-load-balancer"></a>Edge-LB Load Balancer

The individual instances of the load balancer software (e.g. HAProxy). These accept traffic and route it to the appropriate services within the DC/OS cluster.

# <a name="edge-lb-reload-behavior"></a>Edge-LB Load Balancer Reload Behavior

## Normal Reload Scenario

A change to an service (such as scaling up or down) that is load balanced
by a Pool will trigger a reload of its Load Balancers. This reload has
the following properies:

* No traffic is dropped (unless the service instance that was serving the
request was killed).
* The Load Balancer will wait until existing connections terminate, so a long
running connection will prevent the reload from completing.
* A reload will occur at most once every 10 seconds.

The properties of this reload enable strategies such as
[Blue/Green Deployment](/1.10/networking/edge-lb/strategies#blue-green-deployment).

## Load Balancer Relaunch Scenario

A change to the Load Balancer (such as adding a Secret) will trigger a
relaunch of all such Load Balancers within the same Pool. This relaunch has
the following properies:

* Traffic is dropped
* To minimize the impact, we suggest running more than one Load
Balancer within the Pool.
* The Load Balancer will be relaunched on the same node (unless the node itself
has failed).
115 changes: 115 additions & 0 deletions 1.10/networking/load-balancing/north-south/edge-lb/auth.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
---
post_title: Configuring DC/OS Access for Edge-LB
menu_order: 3
post_excerpt: ""
feature_maturity: ""
enterprise: 'yes'
---

This topic describes how to configure DC/OS access for Edge-LB. Depending on your [security mode](/1.10/overview/security/security-modes/), Edge-LB requires [service authentication](/1.10/security/ent/service-auth/) for access to DC/OS.

| Security mode | Service Account |
|---------------|-----------------------|
| Disabled | Not available |
| Permissive | Recommended (optional) |

**Prerequisites:**

- [DC/OS CLI installed](/1.10/cli/install/) and be logged in as a superuser.
- [Enterprise DC/OS CLI 0.4.14 or later installed](/1.10/cli/enterprise-cli/#ent-cli-install).
- If your [security mode](/1.10/overview/security/security-modes/) is `permissive`, you must [get the root cert](/1.10/networking/tls-ssl/get-cert/) before issuing the curl commands in this section.

# <a name="create-a-keypair"></a>Create a Key Pair
In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI.

Create a public-private key pair and save each value into a separate file within the current directory.

```bash
dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
```

**Tip:** You can use the [DC/OS Secret Store](/1.10/security/ent/secrets/) to secure the key pair.

# <a name="create-a-service-account"></a>Create a Service Account

## Permissive
From a terminal prompt, create a new service account (`<service-account-id>`) containing the public key (`<your-public-key>.pem`).

```bash
dcos security org service-accounts create -p <your-public-key>.pem -d "Edge-LB service account" <service-account-id>
```

**Tip:** You can verify your new service account using the following command.

```bash
dcos security org service-accounts show <service-account-id>
```

# <a name="create-an-sa-secret"></a>Create a Secret
Create a secret (`edge-lb/<secret-name>`) with your service account (`<service-account-id>`) and private key specified (`<private-key>.pem`).

**Tip:** If you store your secret in a path that matches the service name (e.g. service name and path are `edge-lb`), then only the service named `edge-lb` can access it.

## Permissive

```bash
dcos security secrets create-sa-secret <private-key>.pem <service-account-id> edge-lb/<secret-name>
```

**Tip:**
You can list the secrets with this command:

```bash
dcos security secrets list /
```

# <a name="give-perms"></a>Create and Assign Permissions
Use the following curl commands to rapidly provision the Edge-LB service account with the required permissions.

**Tips:**

- Any `/` character in a resource must be replaced with `%252F` before it can be passed in a curl command.
- When using the API to manage permissions, you must first create the permission and then assign it. Sometimes, the permission may already exist. In this case, the API returns an informative message. You can regard this as a confirmation and continue to the next command.

1. Create the permission.

## Permissive

```bash
curl -X PUT --cacert dcos-ca.crt \
-H 'Content-Type: application/json' \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Allows access to any service launched by the native Marathon instance"}' \
curl -X PUT --cacert dcos-ca.crt \
-H 'Content-Type: application/json' \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:admin:events \
-d '{"description":"Allows access to Marathon events"}'
```

## Permissive

```bash
curl -X PUT --cacert dcos-ca.crt \
-H 'Content-Type: application/json' \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Allows access to any service launched by the native Marathon instance"}' \
curl -X PUT --cacert dcos-ca.crt \
-H 'Content-Type: application/json' \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:admin:events \
-d '{"description":"Allows access to Marathon events"}'
```


1. Grant the permissions and the allowed actions to the service account using the following commands.

## Permissive
Run these commands.

```bash
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/users/edgelb-principal/read
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:admin:events/users/edgelb-principal/read
```

For more information about the available Edge-LB commands, see the [Edge-LB command reference](/1.10/cli/command-reference/dcos-edgelb/).
Loading