Overview
This document discusses how to setup an adaptive PingFed cluster through dynamic discovery with the DNS_PING protocol, which is the recommended approach for PingFederate 10.2.
Key Concepts
Dynamic discovery is well suited for environments where traffic volume may spike and require additional resources during the peak period to handle the increased traffic. This elastic scaling capability helps you to bring additional PingFederate engine nodes online with no additional configuration changes after the initial setup.
Google's CloudDNS is Ping's recommended approach in GKE because it works seamlessly with GCP and JGroup's DNS_PING protocol.
ExternalDNS is a set of workloads to be deployed inside a kubernetes cluste. It synchronizes exposed Kubernetes Services and Ingresses with DNS providers. It makes Kubernetes resources discoverable via public/private DNS servers. It allows you to control DNS records dynamically via Kubernetes resources in a DNS provider-agnostic way.
CloudDNS is a GCP service providing low latency and high availability DNS zone serving. It can act as an authoritative DNS server for public zones that are visible to the internet, or for private zones that are visible only within your network.
Prerequisites
register a new google account and activate $300 credit
install following tools on your laptop
gcloud (gcp sdk)
kubectl (kubernetes command-line tool)
Visual Studio code (IDE)
github
Preparations:
1. Set up a VPC network with two subnets for us-east and us-west regions
Path: VPC network / VPC networks/ Create VPC network
2. Create two kubernetes clusters in us-east and us-west
Path: Kubernetes Engine / Clusters / Create
3. Create a GCE persistent disk (gke-pf-disk) in us-east. It will later be mounted on the PingFed Console pod to persist configuration data
Path: Compute Engine / Storage - Disks / Create Disk
4. Create two cloud DNS private zones
Path: Network services / Cloud DNS / Create a DNS zone
Note: select the VPC network you created in Step 1 so that these private zones become visible to all entities (vm, nodes, pods, etc) within the network
5. Allow traffics for pod-to-pod commnucations across kubernetes clusters
Path: VPC network / Firewall / Create Firewall Rule
Note: ingress and egress traffics for ports 7600 and 7700 should be allowed to pass.
6. [Optional] VPC peering if your kubernetes cluster are located in different networks
Path: VPC network / VPC network peering / Create Peering Connection
Deploy
1. Clone https://github.com/CoreBlox/ping-federate-gcp.git to local
2. Connect to the us-east kubernetes cluster
[trick] you can get the gcloud command from GCP console.
click the 'connect' option for the cluster you want to connect to. Then run the command on your laptop or in Cloud Shell
3. Go to the us-east folder
cd ./ping-federate-gcp/clustered-pingfederate-us-east
4. Prepare deployment.yml file with the kustomize utility
export PING_IDENTITY_K8S_NAMESPACE=default kustomize build . | \ envsubst '$' > deployment.yml
5. Deployment k8s workload
kubectl apply -f deployment.yml
6. Go to the us-west folder
7. Repeat step 4-5
Validation
1. Kubernetes Cluster - pods info (us-east)
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/external-dns-7b5bb8879-pnhxv 1/1 Running 0 13m 10.116.2.17 gke-cluster-us-east-default-pool-clus-18a3dac7-bc7v <none> <none> pod/pingfederate-8484cd5f6-8c8j6 1/1 Running 0 13m 10.116.2.18 gke-cluster-us-east-default-pool-clus-18a3dac7-bc7v <none> <none> pod/pingfederate-admin-9f5d68f45-mczfg 1/1 Running 0 13m 10.116.0.11 gke-cluster-us-east-default-pool-clus-18a3dac7-jr4h <none> <none>
2. Kubernetes Cluster - pods info (us-west)
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pod/external-dns-5b9567c765-n79ll 1/1 Running 0 5m7s 10.240.0.11 gke-cluster-us-west-default-pool-clus-0a7565e7-0903 <none> <none> pod/pingfederate-6df6cd7f79-jf4ps 1/1 Running 0 5m7s 10.240.1.9 gke-cluster-us-west-default-pool-clus-0a7565e7-ssn2 <none> <none> pod/pingfederate-6df6cd7f79-wcdsx 1/1 Running 0 5m7s 10.240.0.12 gke-cluster-us-west-default-pool-clus-0a7565e7-0903 <none> <none>
3. Cloud DNS records (us-east)
gcloud dns record-sets list \
--zone "ping-us-east" \
--name "pingfederate-cluster.ping-us-east.google.internal" \
--type A
NAME TYPE TTL DATA
pingfederate-cluster.ping-us-east.google.internal. A 300 10.116.0.11,10.116.2.18
4. Cloud DNS records (us-west)
gcloud dns record-sets list \
--zone "ping-us-west" \
--name "pingfederate-cluster.ping-us-west.google.internal" \
--type A
NAME TYPE TTL DATA
pingfederate-cluster.ping-us-west.google.internal. A 300 10.240.0.12,10.240.1.9
5. PingFed Console service
port-forward the admin service and access admin console from your laptop loopback address
curl -u Administrator:2FederateM0re \
-k 'https://127.0.0.1:9999/pf-admin-api/v1/cluster/status' \
--header 'x-xsrf-header: PingFederate' | json_pp
{
"nodes" : [
{
"nodeGroup" : "US-WEST-GROUP",
"nodeTags" : "",
"version" : "10.2.2.0",
"index" : 623902800,
"mode" : "CLUSTERED_ENGINE",
"address" : "10.240.0.12:7600"
},
{
"address" : "10.116.0.11:7600",
"mode" : "CLUSTERED_CONSOLE",
"index" : 938754485,
"version" : "10.2.2.0",
"nodeGroup" : "US-EAST-GROUP"
},
{
"nodeGroup" : "US-EAST-GROUP",
"nodeTags" : "",
"version" : "10.2.2.0",
"index" : 823652998,
"address" : "10.116.2.18:7600",
"mode" : "CLUSTERED_ENGINE"
},
{
"nodeTags" : "",
"version" : "10.2.2.0",
"nodeGroup" : "US-WEST-GROUP",
"mode" : "CLUSTERED_ENGINE",
"address" : "10.240.1.9:7600",
"index" : 1689306981
}
],
"replicationRequired" : true,
"lastConfigUpdateTime" : "2021-05-06T17:14:31.000Z",
"mixedMode" : false
}
