dask-gateway: helm deployment with `traefik.service.type=ClusterIP` fails

What happened:

When I specify “ClusterIP” for the service type I get the error:

Unable to deploy helm chart: cannot patch "traefik-dask-gateway" with kind Service: Service "traefik-dask-gateway" is invalid: spec.ports[0].nodePort: Forbidden: may not be used when `type` is 'ClusterIP'

What you expected to happen:

Able to deploy with ClusterIP

Minimal Complete Verifiable Example:

Should be simple to recreate

Anything else we need to know?:

I would like to use dask-gateway with port forwarding for testing, until I get openid authentication figured out. In any case I probably would like to deploy behind ingress-nginx and do tls-termination there (with letsencrypt provided by cert-manager).

Environment:

cluster: EKS
Dask version: dask-gateway 0.8.0 (latest chart)
Python version:
Operating System:
Install method (conda, pip, source): helm

helm version
version.BuildInfo{Version:"v3.0.1", GitCommit:"7c22ef9ce89e0ebeb7125ba2ebf7d421f3e82ffa", GitTreeState:"clean", GoVersion:"go1.13.4"}

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 21 (21 by maintainers)

Commits related to this issue

add `nodePort: null` to traefik service ports config Addresses deployment with service type `ClusterIP` -- https://github.com/dask/dask-gateway/issues/304 — committed to shaunc/dask-gateway by shaunc 4 years ago
add `nodePort: null` to traefik service ports config (#305) [ci skip] Addresses deployment with service type `ClusterIP` -- https://github.com/dask/dask-gateway/issues/304 — committed to dask/dask-gateway by shaunc 4 years ago

Most upvoted comments

Mainly security – I’d prefer to monitor everything going through the existing LB / ingress rather than add LBs (and authentication protocols). With ClusterIP I can put an authentication proxy in front if necessary.

When we go to replicate this solution, there is a small incremental cost per LB (looks like $18/month-ish?) that I’d prefer not to pay.

(Another small issue is to figure out the annotations to get your ingress to work with jetstack/cert-manager … I presume it’s possible?)

(And a final very small issue – 😃 – you shouldn’t expose the service type in the values.yaml if its not in fact configurable, or at least document that its for future expansion…)

shaunc on Aug 20, 2020

Ah cool – so with this in values.yaml:

      traefik:
        service:
          type: ClusterIP
          ports:
            web:
              nodePort: null
            tcp:
              nodePort: null

It deploys! 👍

NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/api-dask-gateway       ClusterIP   172.20.66.129   <none>        8000/TCP   16h
service/traefik-dask-gateway   ClusterIP   172.20.129.93   <none>        80/TCP     19s

so that’s one half of the problem. Presumably just putting those nodePort settings as defaults in values.yaml should do the trick. [A confirmation about how to deploy a custom authenticator would be appreciated.]

shaunc on Aug 20, 2020