Etusivu Tutki Apua
Kirjaudu sisään
cecf
/
deploy
5
0
Haarauta 0
Tiedostot Esitykset 0 Vetopyynnöt 0 Wiki
Puu: e4538f3d9b
Haarat Tunnisteet
deploy
/
neo4j-helm
/
doc
/
docs
/
modules
/
ROOT
/
pages
/
externalexposure.adoc

externalexposure.adoc 6.3 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125 
  1. [#externalexposure]
    2. 

  2. # External Exposure of Neo4j Clusters
    3. 

  3. 

  4. [abstract]
    5. 

  5. This chapter describes how to route traffic from the outside world or Internet to a Neo4j cluster on version 4.3.0 or above running in Kubernetes.
    6. 

  6. 

  7. If you are running a version of Neo4j earlier than 4.3.0 these instructions do not apply. Look at xref::externalexposure42.adoc[external exposure instructions for client routing]
    8. 

  8. 

  9. ## Overview
    10. 

  10. 

  11. By default when you install Neo4j using Neo4j Labs Helm chart none of the services that are created are accessible from outside the Kubernetes cluster.
    12. 

  12. To access Neo4j from outside the Kubernetes cluster we will need an externally valid DNS name or IP address that clients can connect to. That external address needs to direct queries to a Kubernetes LoadBalancer service that is balanced over Neo4j cores.
    13. 

  13. 

  14. [NOTE]
    15. 

  15. A Service with `type: LoadBalancer` is the only suitable option for Neo4j. Ingress cannot be used because Neo4j's driver protocol communicates at the TCP level and most Ingress only support HTTP communication. Node Port services cannot be associated with a static IP address which makes setting up DNS and SSL very difficult. Using NodePort can additionally create configuration challenges for some Neo4j applications that expect to use port 7687 specifically for communication with Neo4j. Because of that we recommend only using LoadBalancer services.
    16. 

  16. 

  17. ### Create Static IP addresses for inbound cluster traffic
    18. 

  18. 

  19. I'm using GCP, so it is done like this.  Important notes here, on GCP the region must match your GKE
    20. 

  20. region, and the network tier must be premium.  On other clouds, the conceptual step here is the same,
    21. 

  21. but the details will differ: you only need to allocate 1 static IP address for your entire Neo4j cluster.
    22. 

  22. 

  23. ```shell
    24. 

  24. # Customize these next 2 for the region of your GKE cluster,
    25. 

  25. # and your GCP project ID
    26. 

  26. REGION=us-central1
    27. 

  27. PROJECT=my-gcp-project-id
    28. 

  28. 

  29. gcloud compute addresses create \
    30. 

  30.   neo4j-static-ip --project=$PROJECT \
    31. 

  31.   --network-tier=PREMIUM --region=$REGION
    32. 

  32. 

  33. echo "IP:"
    34. 

  34. gcloud compute addresses describe neo4j-static-ip \
    35. 

  35.   --region=$REGION --project=$PROJECT --format=json | jq -r '.address'
    36. 

  36. 

  37. ```
    38. 

  38. 

  39. **If you are doing this with Azure** please note that the static IP address must be in the same
    40. 

  40. resource group as your Kubernetes cluster, and can be created with
    41. 

  41. link:https://docs.microsoft.com/en-us/cli/azure/network/public-ip?view=azure-cli-latest#az-network-public-ip-create[az network public-ip create] like this (just one single sample):
    42. 

  42. `az network public-ip create -g resource_group_name -n core01 --sku standard --dns-name neo4jcluster --allocation-method Static`.  The Azure SKU used must be standard, and the resource group you need can be found in the Kubernetes Load Balancer that [following the Azure Tutorial](https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough) sets up for you.
    43. 

  43. 

  44. For the remainder of this tutorial, let's assume that the core IP address I've allocated is
    45. 

  45. as follows:
    46. 

  46. 

  47. ```shell
    48. 

  48. export IP=35.202.123.82
    49. 

  49. ```
    50. 

  50. 

  51. ### Installing the Helm Chart
    52. 

  52. 

  53. From the root of this repo, navigate to stable/neo4j and issue this command to install the helm chart 
    54. 

  54. with a deployment name of "graph".
    55. 

  55. 

  56. ```shell
    57. 

  57. export DEPLOYMENT=graph
    58. 

  58. helm install $DEPLOYMENT . \
    59. 

  59.   --set core.numberOfServers=3 \
    60. 

  60.   --set acceptLicenseAgreement=yes \
    61. 

  61.   --set neo4jPassword=mySecretPassword
    62. 

  62. ```
    63. 

  63. 

  64. 

  65. ## External Exposure
    66. 

  66. 

  67. After a few minutes you'll have a fully-formed cluster whose pods show ready, and which you can connect
    68. 

  68. to from inside Kubernetes, *but* it will not yet be accessible from outside the Kubernetes cluster. So
    69. 

  69. what we need to do next is to create a load balancer and set the `loadBalancerIP` to be the static IP address we
    70. 

  70. reserved in the earlier step.
    71. 

  71. 

  72. A `load-balancer.yaml` file has been provided as a template, here's how to make one for given static
    73. 

  73. IP address:
    74. 

  74. 

  75. ```shell
    76. 

  76. export DEPLOYMENT=graph
    77. 

  77. 

  78. # Reuse IP from the earlier step here.
    79. 

  79. # These *must be IP addresses* and not hostnames, because we're
    80. 

  80. # assigning load balancer IP addresses to bind to.
    81. 

  81. 

  82. echo $DEPLOYMENT with IP $IP ;
    83. 

  83. cat tools/external-exposure/load-balancer.yaml | envsubst | kubectl apply -f -
    84. 

  84. 

  85. ```
    86. 

  86. 

  87. Inside of these services, we use `externalTrafficPolicy: Local`. To avoid adding extra latency from additional network hops inside Kubernetes.  link:https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/[Refer to the kubernetes docs] for more information on this topic.
    88. 

  88. 

  89. There are other options, such as the link:https://kubernetes.github.io/ingress-nginx/[nginx-ingress controller] which can be configured to support TCP connections but in this guide we're shooting for something as simple as possible that you can do with standard Kubernetes resource types.
    90. 

  90. 

  91. [NOTE]
    92. 

  92. **Potential Trip-up point**: On GKE, the only thing needed to associate the static IP to the 
    93. 

  93. load balancer is this `loadBalancerIP` field in the YAML.  On other clouds, there may be additional steps 
    94. 

  94. to allocate the static IP to the Kubernetes cluster.  Consult your local cloud documentation.
    95. 

  95. 

  96. ## Putting it All Together
    97. 

  97. 

  98. We can verify our service is running nicely like this:
    99. 

  99. 

  100. ```
    101. 

  101. $ kubectl get service | grep neo4j-external
    102. 

  102. zeke-neo4j-external   LoadBalancer   10.0.5.183   35.202.123.82     7687:30529/TCP,74.3.140843/TCP,7473:30325/TCP   115s
    103. 

  103. ```
    104. 

  104. 

  105. After all of these steps, you should end up with a cluster properly exposed.   We can recover our password
    106. 

  106. like so, and connect to the static IP.
    107. 

  107. 

  108. ```shell
    109. 

  109. export NEO4J_PASSWORD=$(kubectl get secrets graph-neo4j-secrets -o yaml | grep password | sed 's/.*: //' | base64 -d)
    110. 

  110. cypher-shell -a neo4j://34.66.183.174:7687 -u neo4j -p "$NEO4J_PASSWORD"
    111. 

  111. ```
    112. 

  112. 

  113. Additionally, since we exposed port 7474, you can go to any of the static IPs on port 7474 and end up with
    114. 

  114. Neo4j browser and be able to connect.
    115. 

  115. 

  116. [NOTE]
    117. 

  117. **Security**: These methods send your Neo4j credentials without encryption. To secure communication with Neo4j you must also set up SSL.
    118. 

  118. 

  119. ## Where to Go Next
    120. 

  120. 

  121. * If you have static IPs, you can of course associate DNS with them
    122. 

  122. * Once you have DNS set up you can obtain signed SSL certificates. SSL certificates can be used with Neo4j directly (see the
    123. 

  123. https://neo4j.com/docs/operations-manual/current/security/ssl-framework/[SSL Framework] section of the Neo4j Operations manual).
    124. 

  124. Or, in many situations, SSL certificates can be registered with the Load Balancer instead.
    125. 

  125. * This in turn will let you use https and neo4j+s protocols to communicate with Neo4j.
    126.