Search
Varnish Helm Chart

Accessing Varnish Enterprise

Introduction

There are several ways to expose Varnish Enterprise outside the cluster, each with its pros and cons.

In a typical setup, Kubernetes routes the traffic to a Pod through its Service layer via kube-proxy that is running on each node. By default, Kubernetes configure kube-proxy to run in iptables mode, which may result in a considerable overhead when Varnish Enterprise is serving multiple gigabits per second of traffic.

In cases where minimal overhead is required, a hostPort can be used to expose a Varnish Enterprise port directly on the node, although this setup limits the scalability due to manual port assignment. For Service-based setup, using kube-proxy in IPVS mode is recommended.

Using hostPort

hostPort can be used to expose Varnish Enterprise directly to the node it is running. As this configuration skips kube-proxy altogether, it can result in the least overhead in the default Kubernetes networking setups at the expense of requiring the operator to ensure ports are available on the host.

To configure Varnish Enterprise via hostPort, set server.http.hostPort, and server.tls.hostPort:

---
server:
  http:
    port: 80
    hostPort: 80

  tls:
    port: 443
    hostPort: 443

Note: port must also be configured to match hostPort.

Using Service

Kubernetes uses a service layer as an abstraction for decoupling a dependency within the cluster. Service works by routing traffic based on a selector through kube-proxy. This decoupling allows Kubernetes to dynamically scale to arbitary number of Pods at the expense of a slight overhead for forwarding a connection.

ClusterIP

ClusterIP is the most fundamental type of Service in Kubernetes. ClusterIP creates an IP address and a DNS name for accessing a service within the cluster. When a connection is made to that given ClusterIP, traffic is distributed to Pods matching the selector (in this case, to Varnish Enterprise pods).

As ClusterIP service is local to the cluster and cannot be accessed from outside of the cluster without additional components (such as a load balancer component that has access to cluster network, or an Ingress controller).

To configure Varnish Enterprise to use ClusterIP, set service.type to ClusterIP:

---
server:
  service:
    enabled: true
    type: "ClusterIP"

Headless ClusterIP

Headless ClusterIP is a type of ClusterIP that, instead of creating an IP address, it creates a DNS name that returns multiple IP addresses to an endpoint of a Pod matching a selector.

For example, if a service is deployed as varnish-enterprise.default.svc.cluster.local, and Varnish Enterprise pod is running with Pod IP of 10.42.0.1, 10.42.0.2, and 10.0.42.3 at port 6081, the DNS will return:

varnish-enterprise A 10.42.0.1
varnish-enterprise A 10.42.0.2
varnish-enterprise A 10.42.0.3

To configure Varnish Enterprise to use headless ClusterIP, set server.type to ClusterIP and server.service.clusterIP to the string “None”.

---
server:
  service:
    enabled: true
    type: "ClusterIP"
    clusterIP: "None"

Unlike other types of services where a port that is configured within a Service can be used to access matching containers, in headless ClusterIP, a containerPort must be used instead. This is the port set in server.http.port (default: 6081), and server.tls.port (default: 6443) respectively. You can also confirm this port using the following command:

kubectl get endpoints

NodePort

NodePort extends over ClusterIP by automatically opening a port on every node. This allows a service to be accessed from outside the cluster (or the internet, if a node has a public IP address). By default, NodePort is randomized within the range of 30000-32767. This range depends on the cluster’s configuration.

To configure Varnish Enterprise to use NodePort, set service.type to NodePort:

---
server:
  service:
    enabled: true
    type: "NodePort"

It is also possible to configure NodePort with a static port by specifying a port within the configured range. This can be archived with server.service.http.nodePort and server.service.https.nodePort for HTTP and HTTPS, respectively:

---
server:
  service:
    enabled: true
    type: "NodePort"

    http:
      nodePort: "30080"

    https:
      nodePort: "30443"

Using LoadBalancer

LoadBalancer extends over NodePort by automatically configure an external load balancer to forward a port to a NodePort. The ports defined in server.service.http.port and server.service.https.port will be used as a source port on the Load Balancer. The availability and behavior of a LoadBalancer depend on the cluster’s configuration. Please consult a service provider’s documentation for more information.

To configure Varnish Enterprise to use LoadBalancer, set service.type to LoadBalancer:

---
server:
  service:
    enabled: true
    type: "LoadBalancer"

®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203