Qconnect Sidecar with Kubernetes

This guide will walk you through deploying Qpoint Proxy and Qpoint Connect on a Kubernetes cluster using Helm, setting up a test Pod to verify the setup, and configuring iptables or environment variables for traffic routing. The Proxy supports only HTTPS traffic at this time.

We'll skip Certificate Installation in this guide. See the Kubernetes Connect guide for additional information on how to supply certificates.

Install Qpoint Helm Repo

First, add the Qpoint Helm Repo. The Qpoint Helm charts are maintained under https://github.com/qpoint-io/helm-charts and the repository is available at https://helm.qpoint.io/.

helm repo add qpoint https://helm.qpoint.io/
helm repo update

Deploy Qpoint Proxy

Deploy Qpoint Proxy using Helm. Replace $TOKEN with your actual registration token.

Note that there are two recommended approaches in regards to namespaces when installing:

  1. Install into a dedicated namespace (i.e. qpoint).

  2. Install into different namespaces inline with the operational requirements for your organziation (i.e. billing, shipping...).

The following example assumes that Qpoint Proxy will be installed into the qpoint namespace.

helm install qpoint-proxy qpoint/qpoint-proxy \
  --set registrationToken="$TOKEN" \
  --namespace qpoint \
  --create-namespace

You can find all configurable options with helm:

helm show values qpoint/qpoint-proxy

Verify the Deployment:

helm list -n <namespace>
kubectl get pods -n <namespace>
kubectl get services -n <namespace>

Example Output:

NAME        	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART             	APP VERSION
qpoint-proxy	default  	1       	2024-06-01 19:15:54.326489 -0400 EDT	deployed	qpoint-proxy-0.0.2	v0.1.2

NAME                          READY   STATUS    RESTARTS   AGE
qpoint-proxy-b48b8bd5-hq4kr   1/1     Running   0          15s

NAME           TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                                   AGE
qpoint-proxy   ClusterIP   10.96.74.0   <none>        10443/TCP, 18443/TCP   22s

Route traffic

Qpoint Init

If your application does not support environment variables for proxies, you can use the Qpoint Init container to configure iptables rules for routing traffic through Qpoint Connect.

Note that the following assumes that Qpoint Connect has been installed in the qpoint namespace (i.e. DNS value of qpoint-connect.qpoint.svc.cluster.local).

apiVersion: v1
kind: Pod
metadata:
  name: mycurlpod
spec:
  initContainers:
    - name: qpoint-init
      image: us-docker.pkg.dev/qpoint-edge/public/kubernetes-qpoint-init:v0.0.9
      env:
        - name: PORT_MAPPING
          value: "16443:443"
        - name: ACCEPT_UIDS
          value: "1010"  # Accept the proxy user / UID
        - name: ACCEPT_GIDS
          value: "1010"  # Accept the proxy group / GID
      securityContext:
        capabilities:
          add: ["NET_ADMIN"]
  containers:
  - name: curl-container
    image: curlimages/curl
    command: [ "sh" ]
    stdin: true
    tty: true
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]
  - name: qpoint-connect
    image: "us-docker.pkg.dev/qpoint-edge/public/qpoint:v0.1.4"
    imagePullPolicy: IfNotPresent
    args:
      - connect
      - --envoy-log-level=error
      - --log-level=info
      - --dns-lookup-family=V4_ONLY
    env:
      - name: STATUS_LISTEN
        value: "0.0.0.0:10001"
      - name: DEFAULT_TCP_LISTEN_ADDRESS
        value: "0.0.0.0"
      - name: CONNECT_TCP_FORWARD_PORTS
        value: "16443:443"
      - name: CONNECT_UPSTREAM
        value: "qpoint-proxy.qpoint.svc.cluster.local:10443"
      - name: CONNECT_USERNAME
        value: "default"
      - name: CONNECT_PASSWORD
        value: "default"
    ports:
      - name: e-https
        containerPort: 16443
        protocol: TCP
      - name: status
        containerPort: 10001
        protocol: TCP
    startupProbe:
      httpGet:
        path: /readyz
        port: status
      initialDelaySeconds: 3
      periodSeconds: 5
      timeoutSeconds: 2
      successThreshold: 1
      failureThreshold: 20
    readinessProbe:
      httpGet:
        path: /readyz
        port: status
      initialDelaySeconds: 3
      periodSeconds: 5
      timeoutSeconds: 2
      successThreshold: 1
      failureThreshold: 1
    livenessProbe:
      httpGet:
        path: /healthz
        port: status
      initialDelaySeconds: 3
      periodSeconds: 10
      timeoutSeconds: 2
      successThreshold: 1
      failureThreshold: 3
    resources: {}

Apply the configuration:

kubectl apply -f mycurlpod.yaml

Verify the Pod Status

Ensure the Pod is running:

kubectl get pods

Example Output:

NAME                             READY   STATUS    RESTARTS   AGE
mycurlpod                        2/2     Running   0          99s
qpoint-proxy-5b4bd7694c-2t6mq    1/1     Running   0          5m47s

Execute Commands in the Pod

Once the Pod is running, exec into the Pod and use curl:

kubectl exec -it mycurlpod -- sh

Inside the Pod, you can now use curl to test the connectivity through Qpoint Connect:

curl -I https://example.com

You should see this traffic discovered and authenticated by the Qpoint Proxy

Last updated