Docker Community Forums

Share and learn in the Docker community.

Add a public cloud node to an on-prem UCP controller

(Mreferre) #1


I have setup a local (on-prem) UCP cluster (1 controller + 2 replicas + 2 nodes). They are on a private 192.168.1.x network.

For test purposes I wanted to add a node in a public cloud (could be AWS, Azure, GCC, DO, whathaveyou) but I don’t have a peering/VPN between my on-prem setup and any of these public clouds nor I can expose my UCP cluster on the Internet. In other words the UCP cluster can reach out to the additional node in the public cloud but the additional node in the public cloud CANNOT reach out to the UCP cluster.

I was hoping there was a way to “push” the configuration of a node from the UCP cluster to the node but the only procedure I see documented is running the join on the node and declare the UCP controller (a process I cannot complete because of the limitation above).

I totally get the latency issues and all that (e.g. Add nodes in different region to UCP) but I was wondering if, only for test purposes, this could be accomplished with the network setup as described.


(Vivek Saraswat) #2

Hmm. The UCP node needs the SHA fingerprint of the controller in order for TLS to work its magic. Is there any way for you to provide a conduit to the controller IP?

(Mreferre) #3

The simple answer is no.

I can’t expose in any way the private controller IP to the cloud instances. Note that in my case is I can’t (I’d do that otherwise). I can imagine that for other people it may be either a “I can’t” or a “I don’t want to”.

I totally get that there is a need for the two end-points to talk in some way.

I guess my question is… would it make sense to provide a connection flow that is reversed? I guess that if the whole swarm/UCP magic assumes the node can talk to the master (even at run-time, not just at install-time) then this is a moot point. But if it’s the master/controller that always reach out to the node at run-time … than it may make sense to tweak the setup to allow the reverse order.

I am saying this because I find a more legit use case to have a UCP cluster on-prem that has some nodes in the cloud (which doesn’t work today) than a use case to have a UCP cluster in the cloud that has some nodes on-prem (which would work today under my constraints).

My 2 cents.