{"id":818,"date":"2024-01-23T01:04:00","date_gmt":"2024-01-23T01:04:00","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=818"},"modified":"2024-01-23T01:04:00","modified_gmt":"2024-01-23T01:04:00","slug":"setup-ingress-kubernetes-nginx-controller","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=818","title":{"rendered":"Kubernetes Gateway API: A Beginner’s Guide"},"content":{"rendered":"

In this comprehensive ingress guide, you will learn how to setup Nginx ingress controller <\/strong>on Kubernetes <\/strong>and configure ingress using DNS.<\/p>\n

If you want to understand how Kubernetes ingress works, read my Kubernetes Ingress Tutorial.<\/a> for beginners. I have explained all the core ingress concepts including how an ingress object works with an ingress controller.<\/p>\n

There are two Nginx ingress controllers.<\/p>\n

    \n
  1. Nginx ingress controller by kubernetes community<\/a><\/li>\n
  2. Nginx ingress controller by Nginx Inc<\/a><\/li>\n<\/ol>\n

    We will be using the Kubernetes community Nginx controller.<\/p>\n

    \n
    Note<\/strong><\/b>: Today, you can get 25% discount<\/strong><\/b> on Kubernetes CKA, CKAD, CKS, KCNA certifications using code DCUBE20<\/strong><\/b> at kube.promo\/latest<\/a><\/div>\n<\/div>\n

    Ingress & Nginx Ingress Controller Architecture<\/h2>\n

    Here is a high-level architecture of Kubernetes ingress using the Nginx ingress controller. In this guide, we will learn to build the setup in the architecture.<\/p>\n

    (Note<\/strong>: Click the image to view in high resolution)<\/p>\n

    \"Nginx
    Click to view in HD<\/span><\/figcaption><\/figure>\n

    Prerequisites<\/h2>\n
      \n
    1. A Kubernetes cluster<\/a><\/li>\n
    2. kubectl utility installed and authenticated to kubernetes cluster.<\/li>\n
    3. Admin access to kubernetes cluster.<\/li>\n
    4. A valid domain to point to ingress controller Load Balancer IP. (Optional<\/strong>)<\/li>\n<\/ol>\n

      If you are trying this setup on Google Cloud, assign admin permissions to your account to enable cluster roles.<\/p>\n

      ACCOUNT=$(gcloud info --format='value(config.account)')\nkubectl create clusterrolebinding owner-cluster-admin-binding \\\n    --clusterrole cluster-admin \\\n    --user $ACCOUNT<\/code><\/pre>\n
      Nginx Ingress Controller Kubernetes Manifests<\/h2>\n
      All the kubernetes manifests used in this tutorial are hosted on the Github repository<\/a>.<\/p>\n
      Clone it and you can deploy the YAML files directly as you follow along the guide. These manifests are taken from the official Nginx community repo.<\/p>\n
      git clone https:\/\/github.com\/techiescamp\/nginx-ingress-controller<\/code><\/pre>\n
      First, we will understand all the associated Kubernetes objects by deploying Nginx controllers using YAML manifests<\/strong>. Once we have the understanding, we will deploy it using the Helm chart<\/strong>.<\/p>\n
      \n
      Note<\/strong><\/b>: If you want to understand all the Nginx ingress controllers objects and how they relate to each other, I suggest you create objects individually from the repo. Once you know how it works, you can use a single manifest or a helm chart to deploy it.<\/div>\n<\/div>\n
      If you want to deploy all the objects on one go, open the cloned repo in termal.<\/p>\n
      cd in in to the manifest folder and execute the following command. It will deploy all the manifests explained in this blog.<\/p>\n
      kubectl apply -f .<\/code><\/pre>\n
      Deploy Nginx Ingress Controller With Manifests<\/h2>\n
      We need to deploy the following Kubernetes objects<\/a> to have a working Nginx controller<\/strong>.<\/p>\n
        \n
      1. ingress-nginx<\/code> namespace<\/li>\n
      2. Service account\/Roles\/ClusterRoles for Nginx admission controller<\/strong><\/li>\n
      3. Validating webhook Configuration<\/li>\n
      4. Jobs to create\/update Webhook CA bundles<\/li>\n
      5. Service account\/Roles\/ClusterRoles of Nginx controller deployment<\/strong><\/li>\n
      6. Nginx controller configmap<\/li>\n
      7. Services for nginx controller & admission controller<\/li>\n
      8. Ingress controller deployment<\/li>\n<\/ol>\n
        \n
        Note<\/strong><\/b>: You can create all the manifests yourself or use the Github repo. However, I highly suggest you go through every manifest and understand what you are deploying.<\/div>\n<\/div>\n
        Need for Admission Controller & Validating Webhook<\/h3>\n
        Kubernetes Admission Controller is a small piece of code to validate or update Kubernetes objects before creating them. In this case, it’s an admission controller to validate the ingress objects<\/strong>. The Admission Controller code is part of the Nginx controller that listens on the port 8443<\/code>.<\/p>\n
        Why do need the admission controller for ingress?<\/strong><\/p>\n
        Without an admission controller, you can deploy ingress object that might contain wrong configurations<\/strong>. A wrong configuration can break all the ingress rules associated with the ingress controller.<\/p>\n
        With the admission controller in place, if you deploy a ingress object with wrong configurations, it will throw an error. This way you can ensure that the ingress object you create has the correct configurations and doesn’t break routing rules.<\/p>\n
        Here is how admission controllers work for Nginx.<\/p>\n
        \"nginx
        Click to view in HD<\/span><\/figcaption><\/figure>\n
          \n
        1. When you deploy an ingress YAML, the Validation admission intercepts the request.<\/li>\n
        2. Kubernetes API then sends the ingress object to the validation admission controller service endpoint based on admission webhook endpoints.<\/li>\n
        3. Service sends the request to the Nginx deployment on port 8443 for validating the ingress object.<\/li>\n
        4. The admission controller then sends a response to the k8s API.<\/li>\n
        5. If it is a valid response, the API will create the ingress object.<\/li>\n<\/ol>\n
          Now let’s get started by creating Kubernetes objects for the ingress controller.<\/p>\n
          \n
          Note<\/strong><\/b>: In the following sections you dont necessarily have to copy and create the YAML files. You can use the files from the repository directly and deploy it. I have given the full YAMLs here for reference.<\/div>\n<\/div>\n
          Create a Namespace<\/h3>\n
          We will deploy all the Nginx controller objects in the ingress-nginx<\/code> namespace.<\/p>\n
          Let’s create the namespace.<\/p>\n
          kubectl create ns ingress-nginx<\/code><\/pre>\n
          Create Admission Controller Roles & Service Account<\/h3>\n
          We need a Role and ClusterRole with required permissions and bind to ingress-nginx-admission<\/code> service account.<\/p>\n
          Create a file named admission-service-account.yaml<\/code> and copy the following contents.<\/p>\n
          ---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\n  namespace: ingress-nginx\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  annotations:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\n  namespace: ingress-nginx\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - secrets\n  verbs:\n  - get\n  - create\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\n  namespace: ingress-nginx\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: Role\n  name: ingress-nginx-admission\nsubjects:\n- kind: ServiceAccount\n  name: ingress-nginx-admission\n  namespace: ingress-nginx\n\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\nrules:\n- apiGroups:\n  - admissionregistration.k8s.io\n  resources:\n  - validatingwebhookconfigurations\n  verbs:\n  - get\n  - update\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: ingress-nginx-admission\nsubjects:\n- kind: ServiceAccount\n  name: ingress-nginx-admission\n  namespace: ingress-nginx<\/code><\/pre>\n
          Deploy the manifest.<\/p>\n
          kubectl apply -f admission-service-account.yaml <\/code><\/pre>\n
          Create Validating Webhook Configuration<\/h3>\n
          Create a file named validating-webhook.yaml<\/code> and copy the following contents.<\/p>\n
          ---\napiVersion: admissionregistration.k8s.io\/v1\nkind: ValidatingWebhookConfiguration\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission\nwebhooks:\n- admissionReviewVersions:\n  - v1\n  clientConfig:\n    service:\n      name: ingress-nginx-controller-admission\n      namespace: ingress-nginx\n      path: \/networking\/v1\/ingresses\n  failurePolicy: Fail\n  matchPolicy: Equivalent\n  name: validate.nginx.ingress.kubernetes.io\n  rules:\n  - apiGroups:\n    - networking.k8s.io\n    apiVersions:\n    - v1\n    operations:\n    - CREATE\n    - UPDATE\n    resources:\n    - ingresses\n  sideEffects: None<\/code><\/pre>\n
          Create the ValidatingWebhookConfiguration<\/code><\/p>\n
          kubectl apply -f validating-webhook.yaml<\/code><\/pre>\n
          Deploy Jobs To Update Webhook Certificates<\/h3>\n
          The  ValidatingWebhookConfiguration<\/code> works only over HTTPS. So it needs a CA bundle.<\/p>\n
          We use kube-webhook-certgen<\/a> to generate a CA cert bundle with the first job. The generated CA certs are stored in a secret named ingress-nginx-admission<\/code><\/p>\n
          The second job patches the ValidatingWebhookConfiguration<\/code> object with the CA bundle.<\/p>\n
          Create a file named jobs.yaml<\/code> and copy the following contents.<\/p>\n
          \n---\napiVersion: batch\/v1\nkind: Job\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission-create\n  namespace: ingress-nginx\nspec:\n  template:\n    metadata:\n      labels:\n        app.kubernetes.io\/component: controller\n        app.kubernetes.io\/instance: ingress-nginx\n        app.kubernetes.io\/name: ingress-nginx\n      name: ingress-nginx-admission-create\n    spec:\n      containers:\n      - args:\n        - create\n        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc\n        - --namespace=$(POD_NAMESPACE)\n        - --secret-name=ingress-nginx-admission\n        env:\n        - name: POD_NAMESPACE\n          valueFrom:\n            fieldRef:\n              fieldPath: metadata.namespace\n        image: registry.k8s.io\/ingress-nginx\/kube-webhook-certgen:v20231011-8b53cabe0\n        imagePullPolicy: IfNotPresent\n        name: create\n        securityContext:\n          allowPrivilegeEscalation: false\n      nodeSelector:\n        kubernetes.io\/os: linux\n      restartPolicy: OnFailure\n      securityContext:\n        runAsNonRoot: true\n        runAsUser: 2000\n      serviceAccountName: ingress-nginx-admission\n---\napiVersion: batch\/v1\nkind: Job\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-admission-patch\n  namespace: ingress-nginx\nspec:\n  template:\n    metadata:\n      labels:\n        app.kubernetes.io\/component: admission-webhook\n        app.kubernetes.io\/instance: ingress-nginx\n        app.kubernetes.io\/name: ingress-nginx\n      name: ingress-nginx-admission-patch\n    spec:\n      containers:\n      - args:\n        - patch\n        - --webhook-name=ingress-nginx-admission\n        - --namespace=$(POD_NAMESPACE)\n        - --patch-mutating=false\n        - --secret-name=ingress-nginx-admission\n        - --patch-failure-policy=Fail\n        env:\n        - name: POD_NAMESPACE\n          valueFrom:\n            fieldRef:\n              fieldPath: metadata.namespace\n        image: registry.k8s.io\/ingress-nginx\/kube-webhook-certgen:v20231011-8b53cabe0\n        imagePullPolicy: IfNotPresent\n        name: patch\n        securityContext:\n          allowPrivilegeEscalation: false\n      nodeSelector:\n        kubernetes.io\/os: linux\n      restartPolicy: OnFailure\n      securityContext:\n        runAsNonRoot: true\n        runAsUser: 2000\n      serviceAccountName: ingress-nginx-admission<\/code><\/pre>\n
          Create the jobs<\/p>\n
          kubectl apply -f jobs.yaml<\/code><\/pre>\n
          Verify the job completion using the following command.<\/p>\n
          kubectl get jobs -n ingress-nginx<\/code><\/pre>\n
          Once the jobs are executed, you can describe the ValidatingWebhookConfigurationand<\/code>, you will see the patched bundle.<\/p>\n
          kubectl describe ValidatingWebhookConfiguration ingress-nginx-admission<\/code><\/pre>\n
          \"\"
          Click to view in HD<\/span><\/figcaption><\/figure>\n
          Create Ingress Controller Roles & Service Account<\/h3>\n
          Create a file named ingress-service-account.yaml<\/code> and copy the following contents.<\/p>\n
          ---\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx\n  namespace: ingress-nginx\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: Role\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx\n  namespace: ingress-nginx\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - namespaces\n  verbs:\n  - get\n- apiGroups:\n  - \"\"\n  resources:\n  - configmaps\n  - pods\n  - secrets\n  - endpoints\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - \"\"\n  resources:\n  - services\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingresses\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingresses\/status\n  verbs:\n  - update\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingressclasses\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - \"\"\n  resourceNames:\n  - ingress-controller-leader\n  resources:\n  - configmaps\n  verbs:\n  - get\n  - update\n- apiGroups:\n  - \"\"\n  resources:\n  - configmaps\n  verbs:\n  - create\n- apiGroups:\n  - \"\"\n  resources:\n  - events\n  verbs:\n  - create\n  - patch\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: RoleBinding\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx\n  namespace: ingress-nginx\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: Role\n  name: ingress-nginx\nsubjects:\n- kind: ServiceAccount\n  name: ingress-nginx\n  namespace: ingress-nginx\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - configmaps\n  - endpoints\n  - nodes\n  - pods\n  - secrets\n  - namespaces\n  verbs:\n  - list\n  - watch\n- apiGroups:\n  - \"\"\n  resources:\n  - nodes\n  verbs:\n  - get\n- apiGroups:\n  - \"\"\n  resources:\n  - services\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingresses\n  verbs:\n  - get\n  - list\n  - watch\n- apiGroups:\n  - \"\"\n  resources:\n  - events\n  verbs:\n  - create\n  - patch\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingresses\/status\n  verbs:\n  - update\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingressclasses\n  verbs:\n  - get\n  - list\n  - watch\n\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: ingress-nginx\nsubjects:\n- kind: ServiceAccount\n  name: ingress-nginx\n  namespace: ingress-nginx<\/code><\/pre>\n
          Deploy the manifest.<\/p>\n
           kubectl apply -f ingress-service-account.yaml<\/code><\/pre>\n
          Create Configmap<\/h3>\n
          With this configmap, you can customize the Nginx settings<\/strong>. For example, you can set custom headers and most of the Nginx settings.<\/p>\n
          Please refer to the official community documentation<\/a> for all the supported configurations.<\/p>\n
          Create a file named configmap.yaml <\/code>and copy the following contents.<\/p>\n
          ---\napiVersion: v1\ndata:\n  allow-snippet-annotations: \"true\"\nkind: ConfigMap\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-controller\n  namespace: ingress-nginx<\/code><\/pre>\n
          Create the configmap.<\/p>\n
          kubectl apply -f configmap.yaml<\/code><\/pre>\n
          Create Ingress Controller & Admission Controller Services<\/h3>\n
          Create a file named services.yaml<\/code> and copy the following contents.<\/p>\n
          ---\napiVersion: v1\nkind: Service\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-controller\n  namespace: ingress-nginx\nspec:\n  externalTrafficPolicy: Local\n  ipFamilies:\n  - IPv4\n  ipFamilyPolicy: SingleStack\n  ports:\n  - appProtocol: http\n    name: http\n    port: 80\n    protocol: TCP\n    targetPort: http\n  - appProtocol: https\n    name: https\n    port: 443\n    protocol: TCP\n    targetPort: https\n  selector:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  type: LoadBalancer\n---\napiVersion: v1\nkind: Service\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-controller-admission\n  namespace: ingress-nginx\nspec:\n  ports:\n  - appProtocol: https\n    name: https-webhook\n    port: 443\n    targetPort: webhook\n  selector:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  type: ClusterIP<\/code><\/pre>\n
          Create the services.<\/p>\n
          kubectl apply -f services.yaml<\/code><\/pre>\n
          ingress-nginx-controller<\/code> service creates a Loadbalancer<\/strong> in the respective cloud platform you are deploying.<\/p>\n
          You can get the load balancer IP\/DNS using the following command.<\/p>\n
          kubectl --namespace ingress-nginx get services -o wide -w ingress-nginx-controller<\/code><\/pre>\n
          \n
          Note<\/strong><\/b>: For each cloud provider there are specific annotations you can use to map static IP address and other configs to the Loadbalancer. Check out GCP annotations here<\/a> and AWS annoatations here<\/a>.<\/div>\n<\/div>\n
          Create IngressClass<\/h3>\n
          Create a file named ingressclass.yaml<\/code><\/strong> and copy the following contents.<\/p>\n
          ---\napiVersion: networking.k8s.io\/v1\nkind: IngressClass\nmetadata:\n  labels:\n    app.kubernetes.io\/component: admission-webhook\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: nginx\nspec:\n  controller: k8s.io\/ingress-nginx<\/code><\/pre>\n
          Deploy the ingress class.<\/p>\n
          kubectl apply -f ingressclass.yaml<\/code><\/pre>\n
          It will create a ingress class named nginx. We have to use this ingress class name in Ingress objects we create.<\/p>\n
          Create Ingress Controller Deployment<\/h3>\n
          Create a file named deployment.yaml<\/code> and copy the following contents.<\/p>\n
          ---\napiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  labels:\n    app.kubernetes.io\/component: controller\n    app.kubernetes.io\/instance: ingress-nginx\n    app.kubernetes.io\/name: ingress-nginx\n  name: ingress-nginx-controller\n  namespace: ingress-nginx\nspec:\n  minReadySeconds: 0\n  revisionHistoryLimit: 10\n  selector:\n    matchLabels:\n      app.kubernetes.io\/component: controller\n      app.kubernetes.io\/instance: ingress-nginx\n      app.kubernetes.io\/name: ingress-nginx\n  template:\n    metadata:\n      labels:\n        app.kubernetes.io\/component: controller\n        app.kubernetes.io\/instance: ingress-nginx\n        app.kubernetes.io\/name: ingress-nginx\n    spec:\n      containers:\n      - args:\n        - \/nginx-ingress-controller\n        - --publish-service=$(POD_NAMESPACE)\/ingress-nginx-controller\n        - --election-id=ingress-controller-leader\n        - --controller-class=k8s.io\/ingress-nginx\n        - --configmap=$(POD_NAMESPACE)\/ingress-nginx-controller\n        - --validating-webhook=:8443\n        - --validating-webhook-certificate=\/usr\/local\/certificates\/cert\n        - --validating-webhook-key=\/usr\/local\/certificates\/key\n        env:\n        - name: POD_NAME\n          valueFrom:\n            fieldRef:\n              fieldPath: metadata.name\n        - name: POD_NAMESPACE\n          valueFrom:\n            fieldRef:\n              fieldPath: metadata.namespace\n        - name: LD_PRELOAD\n          value: \/usr\/local\/lib\/libmimalloc.so\n        image: registry.k8s.io\/ingress-nginx\/controller:v1.9.5\n        imagePullPolicy: IfNotPresent\n        lifecycle:\n          preStop:\n            exec:\n              command:\n              - \/wait-shutdown\n        livenessProbe:\n          failureThreshold: 5\n          httpGet:\n            path: \/healthz\n            port: 10254\n            scheme: HTTP\n          initialDelaySeconds: 10\n          periodSeconds: 10\n          successThreshold: 1\n          timeoutSeconds: 1\n        name: controller\n        ports:\n        - containerPort: 80\n          name: http\n          protocol: TCP\n        - containerPort: 443\n          name: https\n          protocol: TCP\n        - containerPort: 8443\n          name: webhook\n          protocol: TCP\n        readinessProbe:\n          failureThreshold: 3\n          httpGet:\n            path: \/healthz\n            port: 10254\n            scheme: HTTP\n          initialDelaySeconds: 10\n          periodSeconds: 10\n          successThreshold: 1\n          timeoutSeconds: 1\n        resources:\n          requests:\n            cpu: 100m\n            memory: 90Mi\n        securityContext:\n          allowPrivilegeEscalation: true\n          capabilities:\n            add:\n            - NET_BIND_SERVICE\n            drop:\n            - ALL\n          runAsUser: 101\n        volumeMounts:\n        - mountPath: \/usr\/local\/certificates\/\n          name: webhook-cert\n          readOnly: true\n      dnsPolicy: ClusterFirst\n      nodeSelector:\n        kubernetes.io\/os: linux\n      serviceAccountName: ingress-nginx\n      terminationGracePeriodSeconds: 300\n      volumes:\n      - name: webhook-cert\n        secret:\n          secretName: ingress-nginx-admission<\/code><\/pre>\n
          Create the deployment.<\/p>\n
          kubectl apply -f deployment.yaml<\/code><\/pre>\n
          To ensure that deployment is working, check the pod status.<\/p>\n
          kubectl get pods -n ingress-nginx<\/code><\/pre>\n
          Validate Ingress Controller Deployment<\/h2>\n
          You can validate the ingress controller deployment using the LoadBlancer endpoint created by the service.<\/p>\n
          Nginx Ingress controller has a default backend. All the requests that doesn’t have a entry in the ingress goes to this default backend.<\/p>\n
          We will validate out controller using the default backend.<\/p>\n
          Get your Loadbalancer endpoint the try to acess it. You should get a 404 error as shown below.<\/p>\n
          \"\"<\/figure>\n
          Now try to access the \/heathz url using curl as given below. You should get a 200 response. Replace <LOAD-BALANCER-ENDPOINT> with your Loadbalancer endpoint.<\/p>\n
          curl http:\/\/<LOAD-BALANCER-ENDPOINT>\/healthz<\/code><\/pre>\n
          \"\"<\/figure>\n
          Nginx Ingress Controller Helm Deployment<\/h2>\n
          If you are a Helm user, you can deploy the ingress controller using the community helm chart. ValidatingWebhookConfiguration<\/code> is disabled by default in values.yaml<\/code>.<\/p>\n
          Deploy the helm chart. It will create the namespace ingress-nginx<\/code> if not present.<\/p>\n
          helm upgrade --install ingress-nginx ingress-nginx \\\n  --repo https:\/\/kubernetes.github.io\/ingress-nginx \\\n  --namespace ingress-nginx --create-namespace<\/code><\/pre>\n
          Verify the helm release.<\/p>\n
          helm list -n ingress-nginx<\/code><\/pre>\n
          To clean up the resources, uninstall the release.<\/p>\n
           helm uninstall ingress-nginx -n ingress-nginx<\/code><\/pre>\n
          Map a Domain Name To Nginx Ingress Loadbalancer IP<\/h2>\n
          The primary goal of Ingress is to receive external traffic to services running on Kubernetes<\/strong>. Ideally in projects, a DNS would be mapped to the ingress controller Loadbalancer IP.<\/p>\n
          This can be done via the respective DNS provider with the domain name you own<\/strong>.<\/p>\n
          \n
          Info<\/strong><\/b>: For internet-facing apps, it will be public DNS pointing to the public IP of the load balancer. If it’s an internal app, it will be an organization’s private DNS mapped to a private load balancer IP.<\/div>\n<\/div>\n
          Single DNS Mapping<\/h3>\n
          You can map a single domain directly as an A record to the load balancer IP<\/strong>. Using this you can have only one domain for the ingress controller and multiple path-based traffic routing.<\/p>\n
          For example,<\/p>\n
          www.example.com --> Loadbalancer IP<\/code><\/pre>\n
          You can also have path-based routing using this model.<\/p>\n
          Few examples,<\/p>\n
          http:\/\/www.example.com\/app1\nhttp:\/\/www.example.com\/app2\nhttp:\/\/www.example.com\/app1\/api\nhttp:\/\/www.example.com\/app2\/api<\/code><\/pre>\n
          Wildcard DNS Mapping<\/h3>\n
          If you map a wildcard DNS to the load balancer<\/strong>, you can have dynamic DNS endpoints through ingress.<\/p>\n
          Once you add the wildcard entry in the DNS records, you need to mention the required DNS in the ingress object and the Nginx ingress controller will take care of routing it to the required service endpoint.<\/p>\n
          For example, check the following two mappings.<\/p>\n
          *.example.com --> Loadbalancer IP\n*.apps.example.com --> Loadbalancer IP <\/code><\/pre>\n
          This way you can have multiple dynamic subdomains through a single ingress controller<\/strong> and each DNS can have its own path-based routing.<\/p>\n
          Few examples,<\/p>\n
          #URL one\n\nhttp:\/\/demo1.example.com\/api\nhttp:\/\/demo1.example.com\/api\/v1\nhttp:\/\/demo1.example.com\/api\/v2\n\n#app specific urls\n\nhttp:\/\/grafana.apps.example.com\nhttp:\/\/prometheus.apps.example.com\n\n#URL two\n\nhttp:\/\/demo2.apps.example.com\/api\nhttp:\/\/demo2.apps.example.com\/api\/v1\nhttp:\/\/demo2.apps.example.com\/api\/v2\n<\/code><\/pre>\n
          For demo purposes, I have mapped a wildcard DNS to the LoadBalancer IP<\/strong>. Based on your DNS provider, you can add the DNS record.<\/p>\n
          The following image shows the DNS records I used for this blog demo. I used EKS<\/strong> so instead of Loadnbalacer IP, I have a DNS of network load balancer endpoint which will be a CNAME<\/strong>. In the case of GKE, you will get an IP and in that case, you need to create an A record.<\/p>\n
          \"nginx<\/figure>\n
          Deploy a Demo Application<\/h2>\n
          For testing ingress, we will deploy a demo application and add a ClusterIp service to it. This application will be accessible only within the cluster without ingress.<\/p>\n
          Step 1: <\/strong>Create a namespace named dev<\/p>\n
          kubectl create namespace dev<\/code><\/pre>\n
          Step 2:<\/strong> create a file named hello-app.yaml and copy the following contents.<\/p>\n
          apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: hello-app\n  namespace: dev\nspec:\n  selector:\n    matchLabels:\n      app: hello\n  replicas: 2\n  template:\n    metadata:\n      labels:\n        app: hello\n    spec:\n      containers:\n      - name: hello\n        image: \"gcr.io\/google-samples\/hello-app:2.0\"<\/code><\/pre>\n
          Step 3:<\/strong> Create the deployment using kubectl<\/p>\n
          kubectl create -f hello-app.yaml<\/code><\/pre>\n
          Check the deployment status.<\/p>\n
          kubectl get deployments -n dev<\/code><\/pre>\n
          Step 5:<\/strong> Create a file named hello-app-service.yaml<\/code> and copy the following contents and save the file.<\/p>\n
          apiVersion: v1\nkind: Service\nmetadata:\n  name: hello-service\n  namespace: dev\n  labels:\n    app: hello\nspec:\n  type: ClusterIP\n  selector:\n    app: hello\n  ports:\n  - port: 80\n    targetPort: 8080\n    protocol: TCP<\/code><\/pre>\n
          Step 6:<\/strong> Create the service using kubectl.<\/p>\n
          kubectl create -f hello-app-service.yaml<\/code><\/pre>\n
          Create Ingress Object for Application<\/h2>\n
          Now let\u2019s create an ingress object to access our hello app using a DNS<\/strong>. An ingress object is nothing but a set of routing rules.<\/p>\n
          If you are wondering how the ingress object is connected to the Nginx controller,<\/strong> the ingress controller pod connects to the Ingress API to check for rules<\/strong> and it updates its nginx.conf<\/code> accordingly.<\/p>\n
          Since I have wildcard DNS mapped (*.apps.mlopshub.com<\/code>) with the DNS provider, I will use demo.apps.mlopshub.com<\/code> to point to the hello app service.<\/p>\n
          Step 1:<\/strong> Create a file named ingress.yaml<\/code><\/p>\n
          Step 2:<\/strong> Copy the following contents and save the file.<\/p>\n
          Replace demo.apps.mlopshub.com<\/code> with your domain name. Also, we are creating this ingress object in the dev<\/code> namespace becuase the hello app is running in the dev<\/code> namespace.<\/p>\n
          apiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n  name: test-ingress\n  namespace: dev\nspec:\n  ingressClassName: nginx\n  rules:\n  - host: \"demo.apps.mlopshub.com\"\n    http:\n      paths:\n        - pathType: Prefix\n          path: \"\/\"\n          backend:\n            service:\n              name: hello-service\n              port:\n                number: 80<\/code><\/pre>\n
          Step 3:<\/strong> Describe created ingress object created to check the configurations.<\/p>\n
          kubectl describe ingress  -n dev<\/code><\/pre>\n
          Now if I try to access demo.apps.mlopshub.com <\/code> domain, I will be able to access the hello app as shown below. (You should replace it with your domain name)<\/p>\n
          \"\"<\/figure>\n
          You might face https error in the browser. in that case you can use a curl command to verify ingress endpoint.<\/p>\n
          curl demo.apps.mlopshub.com<\/code><\/pre>\n
          TLS With Nginx Ingress<\/h2>\n
          You can configure TLS certificates with each ingress object. The TLS gets terminated at the ingress controller level.<\/p>\n
          The following image shows the ingress TLS config. The TLS certificate needs to be added as a secret object.<\/p>\n
          \"Nginx<\/figure>\n
          I have written a detailed article on Ingress TLS configuration.<\/p>\n
          \ud83d\udc49 Take a look at the guide to configure ingress TLS on Kubernetes.<\/a><\/p>\n
          Conclusion<\/h2>\n
          In this article, we have learned how to set up the Nginx ingress controller.<\/p>\n
          It is very easy to get started. However, for project implementation ensure that you go through all Nginx configurations and tune them according to the requirements<\/strong>.<\/p>\n
          With the Nginx controller configmap, you can configure all the Nginx settings without redeploying the controller.<\/p>\n
          I hope you enjoyed this guide on Nginx ingress controller<\/strong>.<\/p>\n
          Let me know your thoughts and queries in the comment section.<\/p>\n
          Also, if you are learning Kubernetes, check out my  comprehensive Kubernetes tutorials<\/a>.<\/p>\n
          \n
          Ngu\u1ed3n:<\/strong> Kubernetes Gateway API: A Beginner's Guide \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
          Source: https:\/\/devopscube.com\/setup-ingress-kubernetes-nginx-controller\/<\/p>\n","protected":false},"author":1,"featured_media":819,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-818","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=818"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/818\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/819"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}