Creating a Proxy Container

Use the following steps to create the proxy container.

About this task

Procedure

Ensure that the kubectl context is set to the correct environment.
The mechanism differs based on the Kubernetes environment in use.
Create a key that is used by the proxy and add the new key to the ConfigMap that contains the configuration for the container.
For example,
```
openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365; cat key.pem cert.pem > proxy.pem
```

Create a ConfigMap definition file that is named proxy-config.yaml.

This definition file contains the configuration YAML for the proxy container. For example,

apiVersion: v1 
kind: ConfigMap 
metadata: 
  name: proxy-config 
  namespace: default 
data: 
  ca.pem: |
    <insert-server-ca-pem-here>

  proxy.pem: |
    <insert-proxy-pem-here>

  config.yaml: |
    general: 
      ports:
        ldap:  0
        ldaps: 9636

      id: test-proxy

      license:
        key: "<add-your-license-key-here>"
        accept: standard

      key-stash: "<add-the-server-keystash-here>" 

      admin: 
        pwd: passw0rd1

      ssl:
        cert-label: "server-key"

      audit:
        enabled: true
  
    proxy:
      suffixes:
      - name:           "split_a"
        num-partitions: 1
        base:           "dc=ibm.com"
        servers:
          - name: "server_a"
            role: "primarywrite"
            index: 1

      server-groups:
      - name: "group_a"
        servers:
        - name:       "server_a"
          id:         "server_a"
          target:      "ldaps://isvd-server:9636"
          bind-method: "Simple"
          user:
            dn:       "cn=root"
            password: "passw0rd1"

    keyfile:
      keys:
      - label: "server-key"
        key: "@/var/isvd/config/proxy.pem"
      trusted-certificates:
      - "@/var/isvd/config/ca.pem"

Create the ConfigMap.
```
kubectl create –f proxy-config.yaml
```

Create a deployment file that is named proxy-container.yaml.

This deployment file defines a proxy container for your environment.

# 
# The deployment description of the Verify Directory proxy container.
#

apiVersion: apps/v1
kind: Deployment

metadata:
  name: isvd-proxy
  labels:
    app: isvd-proxy

spec:
  selector:
    matchLabels:
      app: isvd-proxy

  template: 
    metadata:
      labels:
        app: isvd-proxy

    spec:
      # The name of the service account which has the required
      # capabilities enabled for the isvd container.
      serviceAccountName: isvd

      # We use a volume to store the configuration for the 
      # environment.
      volumes:
      - name: config-volume
        configMap:
          name: proxy-config

      containers:
      - name: isvd-proxy

        # The fully qualified name of the image.
        image: icr.io/isvd/verify-directory-proxy:latest

        # The port on which the container will be listening.
        ports:
        - containerPort: 9636

        # Environment definition.
        env:
        - name: YAML_CONFIG_FILE
          value: /var/isvd/config/config.yaml  
          
        # The configuration volume.
        volumeMounts:
        - name: config-volume
          mountPath: /var/isvd/config

        # The liveness, readiness and startup probes are used by
        # Kubernetes to monitor the health of the container.  Our 
        # health is governed by the health_check.sh script which is
        # provided by the container.
        livenessProbe:
          exec:
            command:
            - /sbin/health_check.sh 
            - livenessProbe
          initialDelaySeconds: 5
          periodSeconds: 10

        readinessProbe:
          exec:
            command:
            - /sbin/health_check.sh
          initialDelaySeconds: 5
          periodSeconds: 10 

        livenessProbe:
          exec:
            command:
            - /sbin/health_check.sh 
            - startupProbe
          initialDelaySeconds: 5
          periodSeconds: 10

Create the container.

kubectl create –f proxy-container.yaml

You can monitor the bootstrapping of the container that uses the logs command.

kubectl logs -f `kubectl get -o json pods -l app=isvd-proxy | jq -r .items[0].metadata.name`

Create a configuration file that is named server-service.yaml.

This configuration file defines a service that can be used to access the server. The type of service that is defined differs based on whether the 'load balancer' service type is supported in the environment.

If the 'load balancer' service type is not supported in your environment, Tythe following definition can be used.

# 
# The service description of the Verify Directory server
# service.  This is the entry point into the environment and can be
# accessed over port 30636 from outside of the Kubernetes cluster.
#

apiVersion: v1
kind: Service

metadata:
  name: isvd-proxy

spec:
  ports:
  - port: 9636
    name: isvd-proxy
    protocol: TCP
    nodePort: 30636

  selector:
    app: isvd-proxy

  type: NodePort

If the 'load balancer' service type is supported in your environment, the following definition can be used.


# LoadBalancer service definition....
apiVersion: v1
kind: Service
metadata:
  name: isvd-proxy
spec:
  type: LoadBalancer
  ports:
  - port: 636
  - targetPort: 9636
  selector:
    app: isvd-proxy

Create the service.
```
kubectl create –f proxy-service.yaml
```
Determine the IP address.
- If a LoadBalancer service was defined, determine the external IP address of the service, and then use the ldapsearch command to access the server (port 636).
```
 kubectl get service isvd-proxy --watch
```
- If a NodePort service was defined, determine the IP address of the Kubernetes cluster, and then use your ldapsearch command to access the server (port 30636).
In a minikube environment, the IP address of the cluster can be obtained with the following command.
```
minikube ip
```
In an IBM cloud environment, the IP address of the cluster can be obtained with the following command.
```
ibmcloud cs workers -c <cluster-name> --json | jq -r .[0].publicIP
```