-
Notifications
You must be signed in to change notification settings - Fork 93
_Exposing Black Duck Services
This page has been deprecated. Please see the official Kubernetes Black Duck Installation Guide here.
Kubernetes and OpenShift give you the power to determine which services are exposed outside your cluster and which are not.
When you install Black Duck using Synopsys Operator, by default the Black Duck web server (UI) will be exposed, and all other services will be hidden.
You may wish to change this default configuration. This page describes how to do so.
Note: Because there are security considerations when exposing services, please consult your cluster administrator before exposing Black Duck services to the outside world.
Generally, the two services you might want to be exposed are the webserver (NGINX) and the database (Postgres). Exposing NGINX allows you to view the Black Duck web UI from outside the cluster, and exposing Postgres allows for querying the Black Duck database from outside the cluster.
As stated above, Synopsys Operator exposes the Black Duck web UI outside the cluster by default. There are actually two mechanisms that are used to expose the service: a load balancer, and a node port. (These two mechanisms are described in the Viewing the Black Duck Web UI page.)
If you decide that, for security purposes (or other purposes), you would like to remove either the web server's load balancer or the node port, respectively, use one of the following commands:
kubectl -n <NAMESPACE> delete service webserver-lb
kubectl -n <NAMESPACE> delete service webserver-np
These will ensure that the Black Duck web UI is not visible outside the cluster.
There are multiple mechanisms for exposing a service in Kubernetes/OpenShift. Although you should not have to run the commands listed below for the Black Duck web server (as it is exposed by default), you may want to run similar commands to expose the Postgres service. These commands might also come in handy if you hide the webserver and later want to re-expose it.
The most common way to expose a Black Duck service is via a cloud load balancer. A load balancer can be created with a command of the form:
kubectl expose --namespace=default deployment webserver --type=LoadBalancer --port=443 --target-port=8443 --name=nginx-gateway
The above command will create a Network Load Balancer that provides a single IP address that forward all traffic to the Black Duck service. Load Balancers will work in a large cloud (like GKE) or certain AWS clusters.
You can also expose Black Duck services with a NodePort. NodePorts open up a particular port on all the nodes in your cluster. NodePorts are a reasonable option for small clusters.
kubectl expose --namespace=myhub deployment webserver --type=NodePort --port=443 --target-port=8443 --name=nginx-gateway
Important Note: If you use this option to expose the Black Duck web server, you must set PUBLIC_HUB_WEBSERVER_PORT to the node-port value using the instructions given in the Common Configuration Tasks page.
Given that Synopsys Operator sets up both Load Balancers and Node Ports, you should never need to set up Port Forwarding to access a Black Duck service. That said, there are a few isolated cases where you might want to set up port forwarding - for example, if you either disable your load balancer or suspect that your configured load balancer is not working properly.
In these limited cases, follow these instructions to set up a port forward. (The example below shows how to expose your Black Duck web service using a port forward.)
Example 1:
Run the following command to forward to the webserver service:
kubectl -n <BLACK DUCK NAMESPACE> port-forward svc/webserver 443:443
Example 2:
To forward to the webserver's pod, first, get the webserver's pod name using the following command:
kubectl get pods -n <BLACK DUCK NAMESPACE>
Once you have the pod name, create the port forward with the following command:
kubectl -n <BLACK DUCK NAMESPACE> port-forward <WEBSERVER_POD_NAME> 443:8443
The command above will ensure that traffic sent to port 443 on the local host will be forwarded to port 8443 of the webserver pod.
The Web UI can then be accessed at "http://localhost:443".
Your administrator can help you define a route if you're using OpenShift. Make sure to turn on TLS passthrough if going down this road. You will then likely access your cluster at an URL that OpenShift defined for you, available in the Routes UI of your OpenShift console's webapp.
To view your Black Duck services, type:
kubectl get services -o wide -n blackduck
You will see a URL like this:
nginx-gateway 10.99.200.3 a0145b939671d... 443:30475/TCP 2h
You can curl it with a command like:
curl --insecure https://a0145b939671d11e7a6ff12207729cdd-587604034.us-east-1.elb.amazonaws.com:443
And you should be able to see a result which includes an HTTP page.
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" type="image/ico" href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAACXBIWXMAAC4jAAAuIwF4pT92AAA5+mlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzIgNzkuMTU5Mjg0LCAyMDE2LzA0LzE5LTEzOjEzOjQwICAgICAgICAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iCiAgICAgICAgICAgIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIKICAgICAgICAgICAgeG1sbnM6cGhvdG9zaG9wPSJodHRwOi8vbnMuYWRvYmUuY29tL3Bob3Rvc2hvcC8xLjAvIgogICAgICAgICAgICB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIKICAgICAgICAgICAgeG1sbnM6c3RFdnQ9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZUV2ZW50IyIKICAgICAgICAgICAgeG1sbnM6dGlmZj0iaHR0cDovL25zLmFkb2JlLmNvbS90aWZmLzEuMC8iCiAgICAgICAgICAgIHhtbG5zOmV4aWY9Imh0dHA6Ly9ucy5hZG9iZS5j