Managing Ingress for the MDAI Cluster's OTel Collector

DNS
- gRPC
  - Example
- non-gRPC
  - Example
TLS (SSL)
- gRPC
- non-gRPC
Console
- DNS
  - Example
- TLS (SSL)

DNS

To expose the MDAI Cluster's OpenTelemetry Collector to the public, we've simplified the provisioning of two types of Load Balancers.

AWS Application Load Balancer mdai-grpc-endpoint
AWS Network Load Balancer mdai-non-grpc-endpoint

These Load Balancers receive gRPC and non-gRPC (HTTP, TCP, UDP) data respectively.

The Load Balancers can be referred to by their DNS names, which are assigned by AWS.

For secure connectivity, it’s highly recommended - and for TLS (SSL) endpoints, required - that you create CNAME DNS records in your domain, pointing to the Load Balancer DNS names generated by AWS.

In order to provide routing for multiple gRPC receivers of the same type, each receiver should have its own hostname in your public domain. Additional configuration steps are required to provide a mapping between the receiver name and its proposed hostname. A single gRPC Load Balancer will be able to manage ingest from multiple gRPC sources. The current version of the MDAI Cluster only provisions a single gRPC Load Balancer by default.

Example

LB DNS name: mdai-grpc-endpoint.us-east-1.elb.amazonaws.com

OTel Collector Configuration Excerpt: ( This example has 2 gRPC receivers. )

service:
  pipelines:
    traces:
      receivers: [jaeger, otlp]
      processors: [memory_limiter, batch]
      exporters: [debug]

Required CNAME records in domain your-domain.io: | CNAME | AWS DNS NAME | Access URL | | ----------- | --------------- |------------ | | jaeger.grpc.endpoint | mdai-grpc-endpoint.us-east-1.elb.amazonaws.com | jaeger.grpc.endpoint.your-domain.io | | otlp.grpc.endpoint | mdai-grpc-endpoint.us-east-1.elb.amazonaws.com | otlp.grpc.endpoint.your-domain.io |

Manual updates for OpenTelemetry Collector configuration

You would then need to update your OTel configuration to reflect these changes before the MDAI Cluster can receive telemetry via the Access URL.

Navigate to your values/params-values-otel.yaml file:

collectorEndpoints:
  otlp: otlp.grpc.endpoint.collector.your-domain.io
  jaeger: jaeger.grpc.endpoint.collector.your-domain.io

non-gRPC

Example

LB DNS name mdai-non-grpc-endpoint.us-east-1.elb.amazonaws.com

Required CNAME records in domain your-domain.io:

CNAME	AWS DNS NAME	Access URL
`endpoint`	`mdai-non-grpc-endpoint.us-east-1.elb.amazonaws.com`	`endpoint.your-domain.io`

TLS (SSL)

TLS (SSL) Certificates should be generated and issued for all chosen host names.

Steps for Issuing or Importing a Certificate

Choose to Import or Issue a Certificate
Once you have access to your certificate in AWS ACM, it will be accessible via Amazon Resource Name (ARN). These ARNs need to be provided as a configuration parameter during the configuration phase, so make note of these ARNs.

gRPC

TLS (SSL) is MANDATORY for the gRPC endpoint.
From the example above, the gRPC host names that would need certificates are:
- jaeger.grpc.endpoint.your-domain.io
- otlp.grpc.endpoint.your-domain.io
After identifying the certificate ARN, you are required to update the values/params-values-otel.yaml file:

spec:
  ingress:
    annotations:
      alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:1234567890:certificate/th15-15-@n-@ut0g3n3r@ted-numb3r

non-gRPC

SSL is not mandatory, but is highly recommend for non-gRPC ingress.
From the example above, the gRPC host name that would need a certificate is:
- endpoint.your-domain.io
After identifying the certificate ARN, you are required to update the values/params-values-otel.yaml file:

metadata:
  name: test-collector
  namespace: default
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:1234567890:certificate/th15-15-@n-@ut0g3n3r@ted-numb3r

Console

DNS

To expose your MDAI Console UI to the public Internet, an AWS Application Load Balancer mdai-console will be provisioned. This Load balancer can be referred to by its DNS name, which is provided by AWS. For secure connectivity, it’s highly recommended - and for TLS (SSL) endpoints, required - that you create CNAME DNS records for your domain that point to the Load Balancer DNS names generated by AWS.

Example

LB DNS name: mdai-console-12345678910.us-east-1.elb.amazonaws.com

Required CNAME records in domain your-domain.io: | CNAME | AWS DNS NAME | Access URL | | ----------- | --------------- |------------ | | mdai-console | mdai-console-12345678910.us-east-1.elb.amazonaws.com | mdai-console.your-domain.io |

TLS (SSL)

TLS (SSL) can be enabled for the MDAI Console UI endpoint. In order to do that, a TLS (SSL) certificate should be issued for the chosen hostname (i.e. mydecisive.domain.dom from the example above), imported into the AWS ACM, and accessed via Amazon Resource Name (ARN). This ARN needs to be provided as a configuration parameter during the configuration phase in the file: values/aws.env

Example: MDAI_UI_ACM_ARN=arn:aws:acm:us-east-1:12345678900:certificate/eaa7da72-1c8d-4277-8131-ab9dfdc35f37

Back to Deploy Your MDAI Cluster

Next Step: Verify Your Installation >>

MyDecisive MDAI Cluster Documentation