Kubernetes Ingress

Posted on | Edited on | In

Kubernetes version 1.13.2

First understand basis:

This link show you the instructions about how to setup ingress in an Azure Kubernetes Service (AKS) cluster. It contains NGINX ingress controller and cert-manager project (used to automatically generate and configure Let's Encrypt certificates).

First understand what is forward proxy and reverse proxy: https://www.linuxbabe.com/it-knowledge/differences-between-forward-proxy-and-reverse-proxy

There’re many different kinds of forward proxy such as web proxy, HTTP proxy, SOCKS proxy etc. Please keep mind that using forward proxy to browse the Internet usually slows down your overall Internet speed. Another thing to be aware of is that there’re many free forward proxies which is built by hackers for malicious purpose. If you happen to be using one of these proxies, they will log every activity you do on the Internet.

Nginx can be acting both a web server and a reverse proxy at the same time. HAProxy is another well-known open-source reverse proxy software.

TLS termination proxy: https://en.wikipedia.org/wiki/TLS_termination_proxy

A TLS termination proxy (or SSL termination proxy) is a proxy server that is used by an institution to handle incoming TLS connections, decrypting the TLS and passing on the unencrypted request to the institution’s other servers (it is assumed that the institution’s own network is secure so the user’s session data does not need to be encrypted on that part of the link). TLS termination proxies are used to reduce the load on the main servers by offloading the cryptographic processing to another machine, and to support servers that do not support SSL, like Varnish.

Create an ingress controller

To create the ingress controller, use Helm to install nginx-ingress (or use yaml). For added redundancy, two replicas of the NGINX ingress controllers are deployed with the --set controller.replicaCount parameter.

This is for AKS cluster, for bare-metal it’s different, since bare-metal does not have existing loadbalancer (please refer https://kubernetes.github.io/ingress-nginx/):

1
2
3
4
5
helm install stable/nginx-ingress \
    --namespace <the namespace as your application> \
    --set controller.replicaCount=2 \
    --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
    --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux

Then go to get the public IP assigned for ingress controller:

1
2
3
NAME                                             TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)                      AGE
billowing-kitten-nginx-ingress-controller        LoadBalancer   10.0.182.160   51.145.155.210  80:30920/TCP,443:30426/TCP   20m
billowing-kitten-nginx-ingress-default-backend   ClusterIP      10.0.255.77    <none>          80/TCP                       20m

Until, we just set up a ingress controller, no ingress rules are specified.

Delete

1
2
3
4
## find helm release name
helm list
## delete
helm delete --purge <name>

Config DNS name

For the HTTPS certificates to work correctly, configure an FQDN(fully qualified domain name) for the ingress controller IP address.

for Azure it is:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

# Public IP address of your ingress controller
IP="51.145.155.210"

# Name to associate with public IP address
DNSNAME="demo-aks-ingress"

# Get the resource-id of the public ip
PUBLICIPID=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[id]" --output tsv)

# Update public ip address with DNS name
az network public-ip update --ids $PUBLICIPID --dns-name $DNSNAME

Install cert-manager

The NGINX ingress controller supports TLS termination. see here https://github.com/jetstack/cert-manager. cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry

To install the cert-manager controller in an RBAC-enabled cluster, use the following helm install command (this is not the latest version)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Install the CustomResourceDefinition resources separately
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml

# Create the namespace for cert-manager
kubectl create namespace cert-manager

# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install \
  --name cert-manager \
  --namespace cert-manager \
  --version v0.8.0 \
  jetstack/cert-manager

Create a CA cluster issuer

Create a cluster issuer yaml then run kubectl apply -f, more details see: https://cert-manager.readthedocs.io/en/latest/reference/issuers.html

1
2
3
4
5
6
7
8
9
10
11
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <your email address>
    privateKeySecretRef:
      name: letsencrypt-prod
    http01: {}

Delete

1
2
3
4
5
helm list
helm delete --purge <name>
kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
kubectl delete -f cluster-issuer.yaml
kubectl delete ns cert-manager

Create ingress route

The apiVersion may update to stable, usually, if the AKS demo works but your application not, that means there are some miss configurations in the ingress annotations, please adjust according to your situation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: <ingress name>
  namespace: <ns>
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    ## if inside cluster use HTTPS
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  ## this part is for add ssl/tls to ingress
  tls:
  - hosts:
    - <URL>
    secretName: tls-secret
  ## routing rules
  rules:
  - host: <URL>
    http:
      paths:
      - path: /mbi/sii
        backend:
          serviceName: is-servicesdocker
          servicePort: 9446

Delete

1
kubectl delete -f ingress.yaml

Create a certificate object

Next, a certificate resource must be created. The certificate resource defines the desired X.509 certificate. For more information, see https://cert-manager.readthedocs.io/en/latest/reference/certificates.html

Cert-manager has likely automatically created a certificate object for you using ingress-shim, which is automatically deployed with cert-manager since v0.2.2. see https://docs.cert-manager.io/en/latest/tasks/issuing-certificates/ingress-shim.html

Test

If the things are going good, check the URL address in the browser:

1
<URL>/mbi/sii/launchpad
0%