Kubernetes version 1.13.2
First understand basis:
This link show you the instructions about how to setup ingress in an Azure Kubernetes Service (AKS) cluster.
It contains NGINX ingress controller
and cert-manager project
(used to automatically generate and configure Let's Encrypt
certificates).
First understand what is forward proxy and reverse proxy: https://www.linuxbabe.com/it-knowledge/differences-between-forward-proxy-and-reverse-proxy
There’re many different kinds of forward proxy such as web proxy, HTTP proxy, SOCKS proxy etc. Please keep mind that using forward proxy to browse the Internet usually slows down your overall Internet speed. Another thing to be aware of is that there’re many free forward proxies which is built by hackers for malicious purpose. If you happen to be using one of these proxies, they will log every activity you do on the Internet.
Nginx can be acting both a web server and a reverse proxy at the same time. HAProxy is another well-known open-source reverse proxy software.
TLS termination proxy: https://en.wikipedia.org/wiki/TLS_termination_proxy
A TLS termination proxy (or SSL termination proxy) is a proxy server that is used by an institution to handle incoming TLS connections, decrypting the TLS and passing on the unencrypted request to the institution’s other servers (it is assumed that the institution’s own network is secure so the user’s session data does not need to be encrypted on that part of the link). TLS termination proxies are used to reduce the load on the main servers by offloading the cryptographic processing to another machine, and to support servers that do not support SSL, like Varnish.
Create an ingress controller
To create the ingress controller, use Helm
to install nginx-ingress (or use yaml). For added redundancy, two replicas of the NGINX ingress controllers are deployed with the --set controller.replicaCount parameter
.
This is for AKS cluster, for bare-metal it’s different, since bare-metal does not have existing loadbalancer (please refer https://kubernetes.github.io/ingress-nginx/):
1 | helm install stable/nginx-ingress \ |
Then go to get the public IP assigned for ingress controller:
1 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE |
Until, we just set up a ingress controller, no ingress rules are specified.
Delete
1 | ## find helm release name |
Config DNS name
For the HTTPS certificates to work correctly, configure an FQDN(fully qualified domain name) for the ingress controller IP address.
for Azure it is:
1 |
|
Install cert-manager
The NGINX ingress controller supports TLS termination. see here https://github.com/jetstack/cert-manager. cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry
To install the cert-manager controller in an RBAC-enabled cluster, use the following helm install command (this is not the latest version)
1 | # Install the CustomResourceDefinition resources separately |
Create a CA cluster issuer
Create a cluster issuer yaml then run kubectl apply -f
, more details see:
https://cert-manager.readthedocs.io/en/latest/reference/issuers.html
1 | apiVersion: certmanager.k8s.io/v1alpha1 |
Delete
1 | helm list |
Create ingress route
The apiVersion may update to stable, usually, if the AKS demo works but your application not, that means there are some miss configurations in the ingress annotations, please adjust according to your situation.
1 | apiVersion: extensions/v1beta1 |
Delete
1 | kubectl delete -f ingress.yaml |
Create a certificate object
Next, a certificate resource must be created. The certificate resource defines the desired X.509 certificate. For more information, see https://cert-manager.readthedocs.io/en/latest/reference/certificates.html
Cert-manager has likely automatically created a certificate object for you using ingress-shim, which is automatically deployed with cert-manager since v0.2.2. see https://docs.cert-manager.io/en/latest/tasks/issuing-certificates/ingress-shim.html
Test
If the things are going good, check the URL address in the browser:
1 | <URL>/mbi/sii/launchpad |