Configuring external access in Cloudera Surveyor for Apache Kafka

Learn how you can configure Cloudera Surveyor to provide secure external access to its UI.

Cloudera Surveyor provides a web-based UI that users access externally. By default the UI is exposed using a NodePort type Kubernetes Service that is unsecured.

To further configure and secure external access, you can configure a Kubernetes Ingress on top of the NodePort. Alternatively, you can deploy a LoadBalancer type Service instead of the Nodeport. Both methods allow you to provide external users with secure (TLS) access to the UI. The choice between Ingress and LoadBalancer depends on your infrastructure, security requirements, and need for advanced routing or certificate management.

Configuring external access with Ingress

Learn how to configure external access to the Cloudera Surveyor UI with a Kubernetes Ingress.

An Ingress controller is required. Ensure that you have one deployed in your Kubernetes cluster. For example, you can use the Ingress-Nginx controller.
Optional: cert-manager is installed in your Kubernetes cluster.

Although not required, cert-manager enables you to manage certificates automatically. Without cert-manager you must manage your certificate manually through Secrets. The following steps assume that cert-manager is available.

Deploy an Issuer resource for cert-manager.
Take note of the name of the Issuer you deploy. You provide the name of the Issuer to the Ingress in a following step. Deploying a Certificate resource is not needed, it is automatically requested and created by the Ingress once it is deployed.
Configure ingress properties in a valiues file (values.yaml).
```
#...
ingress:
  enabled: true
  protocol: "HTTPS"
  className: "nginx"
  rules:
    host: my-app.example.cloudera.com
    port: 443
  tls:
    enabled: true
    issuer: "[***ISSUER NAME***]"
    secretRef: "[***INGRESS TLS CERT SECRET***]"
```
- ingress.enabled – Enables or disables Ingress.
- ingress.protocol – Configures the Ingress protocol.
- ingress.className – The class name of the Ingress controller. This example configures the Ingress-Nginx controller.
- ingress.rules.host – Specifies the DNS hostname that the Ingress controller should match for incoming HTTP/HTTPS requests.
- ingress.rules.port – The port of the Ingress rule. This is the port of the Kubernetes Service that the Ingress forwards requests to.
- ingress.tls.enabled – Enables TLS for the Ingress.
- ingress.tls.issuer – The name of the Issuer resource for Ingress TLS certificates. This is the name in the Issuer resource you created for cert-manager. Only required if cert-manager is available. If this property is set, the Ingress requests a certificate and saves it to the Secret specified in ingress.tls.secretRef.
- ingress.tls.secretRef – The name of the Secret that contains Ingress TLS certificates. When using cert-manager, the Ingress automatically requests a certificate and saves it to the Secret specified here.

Apply configuration changes.

helm upgrade cloudera-surveyor [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values

Access the UI.

The UI is accessible from the Hostname/IP of the Ingress.

kubectl get ingress --namespace [***NAMESPACE***]

NAME               CLASS   HOSTS                ADDRESS     PORTS  
#...
cloudera-surveyor-ingress   nginx   my-app.example.cloudera.com  10.14.91.1  80, 443

In this example, the UI will be accessible on my-app.cloudera.com:443.

Configuring external access with LoadBalancer

Learn how to configure external access to the Cloudera Surveyor UI with a LoadBalancer type Service.

When deploying a LoadBalancer type Service, the actual load balancer is provisioned and managed by your cloud or infrastructure provider. As a result, TLS settings and certificate management may vary depending on the platform. Refer to vendor-specific documentation for detailed guidance on configuring TLS.

Set service.type to LoadBalancer in a custom values file (values.yaml).
```
#...
service:
  type: LoadBalancer
  port: 8080
  targetPort: 8080
  tlsPort: 8443
  tlsTargetPort: 8443
```
note
Ensure that Ingress is disabled (ingress.enabled: false). Ingress is disabled by default.

Apply configuration changes.

helm upgrade cloudera-surveyor [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values

Access the UI.
The UI is accessible from the Hostname/IP of the load balancer.
```
kubectl get service surveyor-service --namespace [***NAMESPACE***]
```
Look at the IP listed in the EXTERNAL-IP column as well as the port in the PORT(S) column. You can access the UI through this IP and port.
```
NAME              TYPE           CLUSTER-IP      EXTERNAL-IP        PORT(S)
cloudera-surveyor-service  LoadBalancer   10.103.58.116   104.198.205.71     8080:30219/TCP
```
In this example, the UI will be accessible on my-app.cloudera.com:443.