notes blog about

Intro

Ingress

Nginx Ingress Controller

kubectl get pods -n ingress-nginx \
  -l app.kubernetes.io/name=ingress-nginx

Manifests

# simple-ingress.yaml
# any HTTP request is forwarded to my-service
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: simple-ingress
spec:
  backend:
    serviceName: my-service
    servicePort: 8080
# host-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: host-ingress
spec:
  rules:
  - host: my-service.example.com
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 8080

TLS

First we need a secret with private key and certificate for a given host (my-service.example.com in this case):

# tls-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  creationTimestamp: null
  name: tls-secret-name
type: kubernetes.io/tls
data:
  tls.crt: <base64 encoded certificate>
  tls.key: <base64 encoded private key>

Then we can reference the secret in Ingress via secretName field:

# tls-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tls-ingress
spec:
  tls:
  - hosts:
    - my-service.example.com
    secretName: tls-secret-name
  rules:
  - host: my-service.example.com
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 8080

You can use cert-manager and e.g. Let’s Encrypt to automate certificates management.

Tips and tricks

If you specify duplicate or conflicting configurations of Ingress object, the behavior is undefined.

An Ingress object can only refer to an upstream (backend) service in the same namespace. However, multiple Ingress objects in different namespaces can specify subpaths for the same host. These specifications are then merged together. This means that Ingress needs to be coordinated globally across the cluster.

Get nginx ingress logs

kubectl get po -A | grep ingress
kubectl logs -n <namespace> nginx-ingress-controller-67956bf89d-fv58j

Sources