ingress

ingress helps to access applications. a single url can be routed to different services based on url path. has to be exposed as NodePort or LoadBalancer. auth, ssl and url based routing has to be done on the ingress layer.

a deployed solution is called ingress-controller- the config is called ingress-resources. a k8s cluster does not come with an ingress-controller by default.

a few ingress-controller are

  • gcp - gce (maintained by k8s project)
  • nginx (maintained by k8s project)
  • contour
  • haproxy
  • traefik
  • istio

nginx ingress-controller

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      name: nginx-ingress
  template:
    metadata:
      name: nginx
      labels:
        name: nginx-ingress
    spec:
      containers:
        - name: nginx-ingress-controller
          image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.21.0
      args:
        - /nginx-ingress-controller
        - --configmap-$(POD_NAMESPACE)/nginx-configuration
      env: 
        - name: POD_NAME 
          valueFrom: 
            fieldRef: 
              fieldPath: metadata.name 
        - name: POD_NAMESPACE 
          valueFrom: 
            fieldRef: 
              fieldPath: metadata.namespace  
      ports: 
        - name: http 
          containerPort: 80 
        - name: https 
          containerPort: 443 

will need a config map

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-configuration

to observe the api about changes in ingress-ressources we need a ServiceAccount with correct rules and roles

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nginx-ingress-serviceaccount

create a service for it

---
apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress
spec:
  type: NodePort
  ports:
    - targetPort: 80
      port: 80
      protocol: TCP
      name: http
    - targetPort: 443
      port: 443
      protocol: TCP
      name: https
  selector:
    name: nginx-ingress

ingress-ressources

ingress-ressources can be configured to redirect to a single pod, url-path based routing and subdomain based routing. multi configurations are possible in one ingress-role.

redirect to a single pod

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-wear
spec:
  backend:
    serviceName: wear-service
    servicePort: 80

apply config

path based ingress rule

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-wear-watch
spec:
  rules:
  - http: 
      paths:
      - path: /wear
        backend: 
          serviceName: wear-service
          servicePort: 80
      - path: /watch
        backend: 
          serviceName: watch-service
          servicePort: 80

check default backend by describe ingress service

domain based ingress rule

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-wear-watch
spec:
  rules:
  - host: wear.my-online-store.com
    http:
      paths:
      - backend:
          serviceName: wear-service
          servicePort: 80
  - host: wear.my-online-store.com
    http:
      paths:
      - backend:
          serviceName: watch-service
          servicePort: 80

host: * is allowed