We are looking to utilise Mender to update our clients in the field. We have successfully implemented a self-hosted Mender-server and have integrated Mender-client onto our board.
All our server-side infrastructure is hosted on AWS. Most of it is hosted in private subnets for security purposes, and we connect to those servers using an AWS Site-to-Site VPN on top of our Mobile Provider’s LTE network (we have a private APN setup for our SIM card population).
When we initially tested out Mender using public servers and a public SIM card we had no issue connecting to our hosted (public test) server and completing updates. But we have found that our production clients, that use a AWS Site-to-Site VPN, are not able to reach outside of the production AWS Virtual Private Cloud (VPC). Therefore our clients are failing to download the update Mender artifacts from our S3 bucket. From our logs we can see that the clients attempt to download the artifact from an assigned IP from the AWS IP address ranges for S3.
I have come up with a couple of possible solutions around this issue. I was wondering whether anyone could touch on their feasibility.
AWS recently released a new service/construct, which is “Interface endpoints for S3 buckets”. However, upon trying to utilise an endpoint in our setup I have found that the Mender server configuration does not seem to allow an endpoint-url to be specified (as far as I can see). It is rather easy for me to manually specify an endpoint-url using the aws cli or an SDK. Am I missing anything here? I couldn’t see mention of endpoints in the Mender documentation, nor the Mender source code (which admittedly I only briefly scanned).
Alternatively, I believe we could utilise the containerised Minio service and use local block storage attached to the Mender server to host our artifacts. Is this correct?
Finally, I figure it might be possible to access S3 storage using the Mender server as a proxy. I know there are settings for a storage-proxy in the prod.yml file. I have been unable to use these settings to get artifact files from the S3 storage via the Mender server. The server always just passed a public IP for the S3 bucket back to the client. So I’ve hit a dead end with this solution.
Is there anything I’m missing here? Hopefully someone can offer some assistance.