Cloudera Docs

Configuring external access in Cloudera Surveyor for Apache Kafka

Learn how you can configure Cloudera Surveyor to provide secure external access to its UI.

Cloudera Surveyor provides a web-based UI that users access externally. By default the UI is exposed using a NodePort type Kubernetes Service that is unsecured.

To further configure and secure external access, you can configure a Kubernetes Ingress on top of the NodePort. Alternatively, you can deploy a LoadBalancer type Service instead of the Nodeport. Both methods allow you to provide external users with secure (TLS) access to the UI. The choice between Ingress and LoadBalancer depends on your infrastructure, security requirements, and need for advanced routing or certificate management.

Configuring external access with Ingress

Learn how to configure external access to the Cloudera Surveyor UI with a Kubernetes Ingress.

  • An Ingress controller is required. Ensure that you have one deployed in your Kubernetes cluster. For example, you can use the Ingress-Nginx controller.

  • Optional: cert-manager is installed in your Kubernetes cluster.

    Although not required, cert-manager enables you to manage certificates automatically. Without cert-manager you must manage your certificate manually through Secrets. The following steps assume that cert-manager is available.

  1. Deploy an Issuer resource for cert-manager.
    Take note of the name of the Issuer you deploy. You provide the name of the Issuer to the Ingress in a following step. Deploying a Certificate resource is not needed, it is automatically requested and created by the Ingress once it is deployed.
  2. Configure ingress properties in a valiues file (values.yaml). 
    #...
ingress:
  enabled: true
  className: "nginx"
  rules:
    host: my-app.example.cloudera.com
    port: 443
  tls:
    enabled: true
    secretRef: "[***INGRESS TLS CERT SECRET***]"
  extraAnnotations: 
    cert-manager.io/issuer: "[***ISSUER NAME***]"

    • ingress.enabled – Enables or disables Ingress.

    • ingress.className – The class name of the Ingress controller. This example configures the Ingress-Nginx controller.

    • ingress.rules.host – Specifies the DNS hostname that the Ingress controller should match for incoming HTTP/HTTPS requests.

    • ingress.rules.port – The port of the Ingress rule. This is the port of the Kubernetes Service that the Ingress forwards requests to.

    • ingress.tls.enabled – Enables TLS for the Ingress.

    • ingress.tls.secretRef –The name of the Secret that contains the Ingress TLS certificates. When using cert-manager and the cert-manager.io/issuer annotation is set in the ingress.extraAnnotations property, a certificate is requested automatically and saved to the Secret specified here.

    • ingress.extraAnnotations.* – Extra annotations to apply to the Ingress.

      The cert-manager.io/issuer annotation configures the name of the cert-manager Issuer. When set, a certificate is automatically requested by the Ingress.

  3. Apply configuration changes. 
    helm upgrade cloudera-surveyor [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values
  4. Access the UI.

    The UI is accessible from the Hostname/IP of the Ingress.

    kubectl get ingress --namespace [***NAMESPACE***]
    NAME               CLASS   HOSTS                ADDRESS     PORTS  
#...
cloudera-surveyor-ingress   nginx   my-app.example.cloudera.com  10.14.91.1  80, 443

    In this example, the UI will be accessible on my-app.cloudera.com:443.

Configuring external access with LoadBalancer

Learn how to configure external access to the Cloudera Surveyor UI with a LoadBalancer type Service.

When deploying a LoadBalancer type Service, the actual load balancer is provisioned and managed by your cloud or infrastructure provider. As a result, TLS settings and certificate management may vary depending on the platform. Refer to vendor-specific documentation for detailed guidance on configuring TLS.

  1. Set service.type to LoadBalancer in a custom values file (values.yaml). 
    #...
service:
  type: LoadBalancer
  port: 8080
  tlsPort: 8443
  2. Apply configuration changes. 
    helm upgrade cloudera-surveyor [***CHART***] \
  --namespace [***NAMESPACE***] \
  --values [***VALUES.YAML***] \
  --reuse-values
  3. Access the UI.

    The UI is accessible from the Hostname/IP of the load balancer.

    kubectl get service surveyor-service --namespace [***NAMESPACE***]

    Look at the IP listed in the EXTERNAL-IP column as well as the port in the PORT(S) column. You can access the UI through this IP and port. 

    NAME              TYPE           CLUSTER-IP      EXTERNAL-IP        PORT(S)
cloudera-surveyor-service  LoadBalancer   10.103.58.116   104.198.205.71     8080:30219/TCP

    In this example, the UI will be accessible on 104.198.205.71:30219.