Qconnect Service with Kubernetes

This guide will walk you through deploying Qpoint Proxy and Qpoint Connect on a Kubernetes cluster using Helm, setting up a test Pod to verify the setup, and configuring iptables or environment variables for traffic routing. The Proxy supports only HTTPS traffic at this time.

We'll skip Certificate Installation in this guide. See the Kubernetes Connect guide for additional information on how to supply certificates.

Install Qpoint Helm Repo

First, add the Qpoint Helm Repo. The Qpoint Helm charts are maintained under https://github.com/qpoint-io/helm-charts and the repository is available at https://helm.qpoint.io/.

helm repo add qpoint https://helm.qpoint.io/
helm repo update

Deploy Qpoint Proxy

Deploy Qpoint Proxy using Helm. Replace $TOKEN with your actual registration token.

Note that there are two recommended approaches in regards to namespaces when installing:

  1. Install into a dedicated namespace (i.e. qpoint).

  2. Install into different namespaces inline with the operational requirements for your organziation (i.e. billing, shipping...).

The following example assumes that Qpoint Proxy will be installed into the qpoint namespace.

helm install qpoint-proxy qpoint/qpoint-proxy \
  --set registrationToken="$TOKEN" \
  --namespace qpoint \
  --create-namespace

You can find all configurable options with helm:

helm show values qpoint/qpoint-proxy

Verify the Deployment:

helm list -n <namespace>
kubectl get pods -n <namespace>
kubectl get services -n <namespace>

Example Output:

NAME        	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART             	APP VERSION
qpoint-proxy	default  	1       	2024-06-01 19:15:54.326489 -0400 EDT	deployed	qpoint-proxy-0.0.2	v0.1.2

NAME                          READY   STATUS    RESTARTS   AGE
qpoint-proxy-b48b8bd5-hq4kr   1/1     Running   0          15s

NAME           TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                                   AGE
qpoint-proxy   ClusterIP   10.96.74.0   <none>        10080/TCP,10443/TCP,18080/TCP,18443/TCP   22s

Deploy Qpoint Connect

Deploy Qpoint Connect, setting the upstream to the Qpoint Proxy service, and provide an optional username and password if you've implemented an ACL.

Similar to Qpoint Proxy there are also the same options for choosing which namespace to install into.

The following example assumes that Qpoint Connect will be installed into the qpoint namespace.

helm install qpoint-connect qpoint/qpoint-connect \
  --set connectUpstream="qpoint-proxy.qpoint.svc.cluster.local:10443" \
  --set connectUsername="your_username" \
  --set connectPassword="your_password" \
  --namespace qpoint

You can find all configurable options with helm:

helm show values qpoint/qpoint-connect

Verify the Deployment:

kubectl get pods -n <namespace>
kubectl get services -n <namespace>

Example Output:

NAME                              READY   STATUS    RESTARTS   AGE
qpoint-connect-76688b7f67-jkzl4   1/1     Running   0          6s
qpoint-proxy-b48b8bd5-hq4kr       1/1     Running   0          7m39s

NAME             TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                                   AGE
qpoint-connect   ClusterIP   10.96.168.40   <none>        16080/TCP,16443/TCP                       14s
qpoint-proxy     ClusterIP   10.96.74.0     <none>        10080/TCP,10443/TCP,18080/TCP,18443/TCP   7m47s

Route traffic

Qpoint Init

If your application does not support environment variables for proxies, you can use the Qpoint Init container to configure iptables rules for routing traffic through Qpoint Connect.

Note that the following assumes that Qpoint Connect has been installed in the qpoint namespace (i.e. DNS value of qpoint-connect.qpoint.svc.cluster.local).

apiVersion: v1
kind: Pod
metadata:
  name: mycurlpod
spec:
  initContainers:
    - name: qpoint-init
      image: us-docker.pkg.dev/qpoint-edge/public/kubernetes-qpoint-init:v0.0.9
      env:
        - name: PORT_MAPPING
          value: "16443:443"
        - name: TO_DOMAIN
          value: "qpoint-connect.qpoint.svc.cluster.local"
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  containers:
  - name: curl-container
    image: curlimages/curl
    command: [ "sh" ]
    stdin: true
    tty: true
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]

Apply the configuration:

kubectl apply -f mycurlpod.yaml

Verify the Pod Status

Ensure the Pod is running:

kubectl get pods

Example Output:

NAME                             READY   STATUS    RESTARTS   AGE
mycurlpod                        1/1     Running   0          99s
qpoint-connect-d9fb8fc54-mxhl2   1/1     Running   0          4m16s
qpoint-proxy-5b4bd7694c-2t6mq    1/1     Running   0          5m47s

Execute Commands in the Pod

Once the Pod is running, exec into the Pod and use curl:

kubectl exec -it mycurlpod -- sh

Inside the Pod, you can now use curl to test the connectivity through Qpoint Connect:

curl -I https://example.com

You should see this traffic discovered and authenticated by the Qpoint Proxy

Last updated