Configure HAProxy and Public Cloud to expose Watson Query ports

Expose Watson Query NodePort for external JDBC access and remote agent connection on Amazon Web Services (AWS) self-managed Kubernetes clusters.

About this task

Watson Query NodePort service enables an external connection to Watson Query components running in the Watson Query head pod. To configure the network, you must have access to the AWS Console and the Red Hat® OpenShift® command-line interface (oc).

Procedure

  1. Use the oc login command to log in to the AWS self-managed Kubernetes cluster, and then run the following command to list the Watson Query NodePort service and the port values. Replace <DV_INSTANCE_NAMESPACE> with the namespace where the Watson Query instance runs. 
    oc -n <DV_INSTANCE_NAMESPACE> get svc  c-db2u-dv-db2u-engn-svc
    Example: The port:nodeport result displays 3 ports in this example. The internal port, NodePort port and protocol are displayed in that order for each port. For example, 50001 is the internal port, 31966 is the NodePort port, and TCP is the protocol.
    user@host:~# oc get svc c-db2u-dv-db2u-engn-svc
NAME                      TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                          AGE
c-db2u-dv-db2u-engn-svc   NodePort   1.2.3.4   <none>        50001:31966/TCP,50000:32121/TCP,7777:31164/TCP   1d
  2. Use the following command to create a network policy if a network policy with the same contents has not already been created. Replace <DV_INSTANCE_NAMESPACE> with the namespace where the Watson Query instance runs. 
    cat << EOF | oc -n <DV_INSTANCE_NAMESPACE> apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dv-nodeport-ext
  namespace: <DV_INSTANCE_NAMESPACE>
spec:
  ingress:
  - ports:
    - port: 50000
      protocol: TCP
    - port: 50001
      protocol: TCP
    - port: 7777
      protocol: TCP
  podSelector:
    matchLabels:
      component: db2dv
      formation_id: db2u-dv
      icpdsupport/app: dv
      role: db
      type: engine
  policyTypes:
  - Ingress
EOF
  3. Log in to the AWS Console and create one target group for each NodePort port to be exposed externally.
    Note: Do not group all the NodePort ports into one target group, as AWS will not know which port to route the inbound network traffic.
    1. In the Specify group details page, set the following configurations.
      1. Set the target type to Instances
      2. Set the Protocol to Port pair to TCP:<NodePort port>. Replace <Nodeport port> with the NodePort port value from step 1.
      3. Set the IP address type to IPv4.
      4. Select external VPC.
      5. Set the Health check protocol to TCP.
    2. On the Register targets page, add all the master nodes to target the group's Targets list, and then specify the NodePort port value in the Ports for the selected instances field.

      For example, if the target group is to expose the Db2® SSL port, the Ports for the selected instances field should have the NodePort port corresponding to the internal Db2 port 50001.

  4. Create a new security group to allow inbound traffic from each NodePort port.
  5. Navigate to Create security group > Inbound rules and then complete these steps.
    1. For CIDR blocks 0.0.0.0/0 and 10.0.0.0/16, add one rule for each block against the internal Watson Query port.
    2. Add another rule against the NodePort port.
    3. For each rule you created, enter the following specifications.
      1. Type: Custom TCP.
      2. Port range: For the rules for each block against the internal Watson Query port, enter the Watson Query internal port from step 1. For the rule against the NodePort ports, enter the corresponding NodePort port.
      3. Source: Custom.
      4. Select 0.0.0.0/0 CIDR blocks.
  6. Create a network load balancer against the public or external VPC. Ensure that the load balancer displays the following properties when it is created. 
    Scheme
Internet-facing

Load balancer IP address type
IPv4

Load balancer type
Network
  7. Add one listener per NodePort to be exposed externally. Make sure that each listener is connected to a target group that only has a single port, and then set the following specifications.
    1. Protocol: Port pair: TCP: <Internal port>. Replace <Internal port> with the internal port value from step 1.
    2. Select the corresponding target group that you created in step 3.

      For example, to expose the Watson Query internal 50001 Db2 SSL port, ensure you specify TCP: 50001, then select the corresponding target group when you add the listener. The external client connection still uses port 50001, and the AWS side will be mapped to the NodePort opened on the OpenShift master nodes, which in turn is routed to the Watson Query head pod.

    After you add the listeners to the load balancer, the target group starts running a health check. The status of the health check should be Healthy, indicating that the NodePort port is reachable from the load balancer.

    Optional: You can view the listener to target group mapping under the Resource map - new tab of the network load balancer you created in this step.

  8. Add the security group that you created in step 5 to the load balancer.