Configuring External Access

For users to access your installation of Posit Connect running in Kubernetes, you need to configure an Ingress. There are many different ways to accomplish this, and the steps may vary depending on the requirements of your organization.

In this guide, we use the Traefik v2 Ingress Controller to configure external access to our Posit Connect instance using locally managed TLS certificates. We use the value connect.posit.co as our public domain name in this example, but you should modify this everywhere it occurs to use your own domain.

It is also possible to use external certificate management tools (like cert-manager, Amazon ACM, etc.) if you prefer not to manage local certificates, but the configurations for these varies depending on which Ingress Controller and certificate manager is used. The Posit Helm chart repository contains some examples of different types of Ingress configurations that can be useful.

Step 1: Install the Traefik Ingress Controller

The Traefik documentation contains detailed installation instructions, but the simplest installation steps are:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install traefik traefik/traefik

Step 2: Create TLS Secrets

Replace connect.crt and connect.key with the local path to your TLS certificate files.

kubectl create secret tls connect-tls \
    --cert connect.crt \
    --key connect.key

Step 3: Configure the Ingress in your Helm Chart Values

# Controls how many instances of Posit Connect are created.
replicas: 1

service:
  # For High Availability installations of Posit Connect, where
  # multiple `replicas` of the Connect pod are in play, it is
  # necessary to enable "sticky sessions" so that traffic for a
  # single connection is always routed to the same Connect pod.
  annotations:
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.name: RSC-SESSION-COOKIE
    traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
    traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"
    traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: traefik

  hosts:
    - host: connect.posit.co
      paths:
        - /

  # Tell the ingress controller to use your TLS secret
  tls:
    - secretName: connect-tls
      hosts:
        - connect.posit.co

config:
  Server:
    # Server.Address must match the FQDN in your TLS certificate.
    Address: "https://connect.posit.co"

Step 4: Apply the Changes to your Installation

See the kubernetes deployment section to see how to create your installation, or apply these changes to an existing installation.

Step 5: Create public DNS records for your installation

In order for you to access your Posit Connect installation via an Ingress, you must create a public DNS record. There are many different DNS service providers to choose from, or you can host your own DNS servers. Creating the DNS records is out of scope for this guide as the process most likely varies for each organization.

Note

A common way to do this in Kubernetes is automating the provisioning of DNS records by using a tool like external-dns.

For this guide, the EXTERNAL-IP of the Traefik Ingress Controller Service must resolve to connect.posit.co. To obtain the EXTERNAL-IP of the Ingress Controller, inspect the Service that was created by the Traefik Helm chart.

kubectl get svc traefik

You should see output like the following:

NAME      TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                      AGE
traefik   LoadBalancer   10.110.77.164   <xx.xx.xx.xx>     80:31869/TCP,443:31047/TCP   20s

If you want to test ahead of public DNS records being created, see the Temporary DNS Records appendix.

Once your DNS records are in place, you can can use netcat to make sure your new DNS records resolve to the correct host. In the example below, update your host path for connect.posit.co:

nc -vz connect.posit.co 443

Output:

Connection to connect.posit.co port 443 [tcp/https] succeeded!

Step 6: Connect to the Dashboard

You should now be able to visit Connect’s Dashboard through your web browser.