HTTPS ingress for Kubernetes service

Cloud Platform (intermediate level) posted on 22nd March 2018


This is a part of the series of posts on Getting an API running in Kubernetes. For this to make sense you should have worked through a few of the earlier examples

I recommend that you save your commands in various scripts so you can repeat them or modify them later.  

In this article - we're doing this.



Ingress

This is the last step to getting your app out there. For my example, I'm using one of my exitsing domains, but lets pretend its called awesome.com. 

The objective is to be able to do a /GET from the browser - as in
https://demo.awesome.com/?data=helloworld

or a /GET or a CORS /POST from a javaScript app with the message in the body.
https://demo.awesome.com/  

The yaml file for the ingress looks like this - I've added another service that doesn't exist so you can see how to do that if you need to eventually. In particulat, look at the red items - we'll cover those in a moment.

make-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: playback-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: 'true'
spec:
  rules:
  - host: demo.awesome.com
    http:
      paths:
      - path: /
        backend:
          serviceName: playback-service
          servicePort: 80
  - host: somewhere-else.awesome.com
    http:
      paths:
      - path: /
        backend:
          serviceName: someother-service
          servicePort: 4000 
  tls:
  - secretName: playback-tls-cert
    hosts:
    - demo.awesome.com
    - somewhere-else.awesome.com


and you can apply it

make-ingress.sh
kubectl apply -f make-ingress.yaml

gives this
kubectl get ingress

NAME                HOSTS                                                         ADDRESS           PORTS     AGE
playback-ingress   demo.awesome.com,somewhere-else.awesome.com                    130.211.214.218   80, 443   1d


Test


Over in the browser

from javaScript


Annotations

The .yaml file contains 2 annotations (annotations were covered in Getting an ssl certificate for Kubernetes ingress). 
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: 'true'
  • ingress.class: nginx is a signal to the ingress controller, described in Bringing up an ingress controller, that it needs to handle this ingress and route messages to it.
  • tls-acme: 'true' is a signal to kube-lego that this ingress needs to have a certificate managed.

Rules

This rule says that when a request for the demo.awesome.com/ comes in, route it to the playback-service, which will be listening on port 80.

  - host: demo.awesome.com
    http:
      paths:
      - path: /
        backend:
          serviceName: playback-service
          servicePort: 80

Tls

The tls section is used by kube-lego to decide which domains need ssl certificates, and the secretName is where to store them.

  tls:
  - secretName: playback-tls-cert
    hosts:
    - demo.awesome.com
    - somewhere-else.awesome.com

kubectl get secret

NAME                  TYPE                                  DATA      AGE
playback-tls-cert     kubernetes.io/tls                     2         1d

Next step

We're done - thanks for sticking with me the whole way.  See Getting an API running in Kubernetes for a recap



Why not join our forum, follow the blog or follow me on twitter to ensure you get updates when they are available.
Comments