Enable Ingress

Prerequisites

Ingress Controller

The ingress controller manages external access to services in your cluster. Choose the appropriate installation method based on your environment:

For AWS:

kubectl apply -f https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.3/deploy/static/provider/aws/deploy.yaml

This deployment:

Creates an AWS Network Load Balancer
Sets up required security groups
Configures health checks automatically
Enables cross-zone load balancing

For Other Cloud Providers:

kubectl apply -f https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.3/deploy/static/provider/cloud/deploy.yaml

Verify Installation:

# Check pods
kubectl get pods -n ingress-nginx
# Check services
kubectl get svc -n ingress-nginx
# View detailed configuration
kubectl describe svc ingress-nginx-controller -n ingress-nginx

Expected Output:

NAME                                        READY   STATUS    RESTARTS   AGE
ingress-nginx-controller-7d6d84f4f-xw9k9   1/1     Running   0          2m

Certificate Manager

Cert-manager handles certificate management and issuance:

Install cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml

Verify all components are running:

kubectl get pods -n cert-manager

# Expected output:
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-5d7f97b46d-xxxx             1/1     Running   0          1m
cert-manager-cainjector-xxxx             1/1     Running   0          1m
cert-manager-webhook-xxxx                1/1     Running   0          1m

Check the CRDs installation:

kubectl get crds | grep cert-manager

DNS Configuration

Option 1: Using External-DNS (Recommended)

External-DNS automates DNS record management:

Install External-DNS:

# For AWS
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install external-dns bitnami/external-dns \
    --set provider=aws \
    --set aws.region=us-east-1 \
    --set policy=sync

Required IAM permissions (AWS):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Option 2: Manual DNS Configuration

For manual configuration:

Get Load Balancer details:

kubectl get svc -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'

Create DNS records:

AWS Route53:

Log into AWS Console
Navigate to Route53 → Hosted Zones
Create A record:
- Name: <SITE_INGRESS.EXAMPLE.COM>
- Type: A
- Alias: Yes
- Target: Load Balancer DNS
- Routing Policy: Simple

Verify DNS:

dig +short <SITE_INGRESS.EXAMPLE.COM>
nslookup <SITE_INGRESS.EXAMPLE.COM>

TLS Certificate Setup

Using cert-manager for Public Certificates

Create Certificate Issuer Configuration:

# cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-issuer
  namespace: observo-client
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod-secret
    solvers:
    - http01:
        ingress:
          ingressClassName: nginx
---
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: observo-site-ingress-cert
  namespace: observo-client
spec:
  dnsNames:
  - <SITE_INGRESS.EXAMPLE.COM>
  duration: 2160h0m0s    # 90 days
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod-issuer
  renewBefore: 360h0m0s  # 15 days
  secretName: observo-site-ingress-cert-secret

Apply and verify:

# Apply configurations
kubectl apply -f cluster-issuer.yaml
kubectl apply -f certificate.yaml

# Check issuer status
kubectl get clusterissuer letsencrypt-prod-issuer -o wide

# Monitor certificate request
kubectl get certificaterequest -n observo-client

# Check certificate status
kubectl get certificate -n observo-client

Troubleshoot certificate issues:

# Check certificate events
kubectl describe certificate observo-site-ingress-cert -n observo-client

# Check cert-manager logs
kubectl logs -n cert-manager -l app=cert-manager

Configure Ingress

Basic Configuration

Update your helm values file with ingress settings:

global:
  dataplaneIngress:
    enabled: true
    className: "nginx"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
      nginx.ingress.kubernetes.io/configuration-snippet: |
        more_set_headers "Access-Control-Allow-Origin: $http_origin";
        more_set_headers "Access-Control-Allow-Credentials: true";
        more_set_headers "Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS";
    hosts:
      - host: <SITE_INGRESS.EXAMPLE.COM>
        paths:
          - path: /ob-http-source
            pathType: Prefix
            port: "10001"
    tls:
    - secretName: observo-site-ingress-cert-secret
      hosts:
        - <SITE_INGRESS.EXAMPLE.COM>

Advanced Configuration Options

Multiple Path Configuration

hosts:
  - host: <SITE_INGRESS.EXAMPLE.COM>
    paths:
      - path: /ob-http-source
        pathType: Prefix
        port: "10001"
      - path: /metrics
        pathType: Prefix
        port: "8686"

Custom Annotations

Common useful annotations:

annotations:
  # SSL Redirect
  nginx.ingress.kubernetes.io/ssl-redirect: "true"
  # Backend Protocol
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  # Proxy Settings
  nginx.ingress.kubernetes.io/proxy-body-size: "8m"
  # Timeouts
  nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
  nginx.ingress.kubernetes.io/proxy-send-timeout: "600"

Apply Configuration

Initial Deployment

helm upgrade --install -n observo-client observo-site \
    oci://public.ecr.aws/e4z0a1h1/observo-site \
    --create-namespace \
    --values=<updated-values-file>.yaml

Update Existing Deployment

# Review changes first
helm upgrade --dry-run --debug -n observo-client observo-site \
    oci://public.ecr.aws/e4z0a1h1/observo-site \
    --values=<updated-values-file>.yaml

# Apply changes
helm upgrade -n observo-client observo-site \
    oci://public.ecr.aws/e4z0a1h1/observo-site \
    --values=<updated-values-file>.yaml

Verify Setup

1. Check Ingress Resources

# Get ingress status
kubectl get ingress -n observo-client

# Detailed ingress information
kubectl describe ingress -n observo-client

# Check ingress controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller

Expected output:

NAME                  CLASS   HOSTS                     ADDRESS           PORTS     AGE
observo-site-ingress  nginx   site.yourdomain.com      203.0.113.1      80, 443   2m

2. Verify TLS Configuration

# Check certificate status
kubectl get certificate -n observo-client

# View certificate details
kubectl describe certificate -n observo-client

# Verify secret creation
kubectl get secret observo-site-ingress-cert-secret -n observo-client

3. Test Connectivity

# Test HTTP redirect
curl -I http://<SITE_INGRESS.EXAMPLE.COM>/health

# Test HTTPS endpoint
curl -v --cacert ./ca.crt https://<SITE_INGRESS.EXAMPLE.COM>/health

# Test with specific host header
curl -H "Host: <SITE_INGRESS.EXAMPLE.COM>" https://<LOAD_BALANCER_IP>/health

Troubleshooting

Common Issues and Solutions

1. Certificate Issues

# Check certificate request status
kubectl get certificaterequest -n observo-client
kubectl describe certificaterequest -n observo-client

# Verify ACME challenges
kubectl get challenges -n observo-client
kubectl describe challenge -n observo-client

Common problems and solutions:

DNS Configuration: Ensure DNS records are properly propagated
ACME Challenge: Check if the challenge path is accessible
Rate Limits: Let's Encrypt has rate limits, verify you haven't exceeded them

2. Ingress Controller Issues

# Check ingress controller status
kubectl get pods -n ingress-nginx
kubectl describe pod -n ingress-nginx -l app.kubernetes.io/component=controller

# View controller configuration
kubectl get configmap -n ingress-nginx ingress-nginx-controller -o yaml

Common problems and solutions:

Port Conflicts: Verify service port mappings
SSL Configuration: Check TLS secret references
Backend Communication: Verify service endpoint health

3. Network Issues

# Test network policies
kubectl get networkpolicies -n observo-client

# Check service endpoints
kubectl get endpoints -n observo-client

# Test internal communication
kubectl run -i --tty --rm debug --image=busybox -n observo-client -- wget -qO- http://service-name

For additional configuration options and advanced scenarios, refer to the Helm Values Reference.

PreviousHelm Values Reference NextSite Administration

Last updated 1 year ago

Was this helpful?

hashtagPrerequisites

hashtagIngress Controller

hashtagFor AWS:

hashtagFor Other Cloud Providers:

hashtagVerify Installation:

hashtagCertificate Manager

hashtagDNS Configuration

hashtagOption 1: Using External-DNS (Recommended)

hashtagOption 2: Manual DNS Configuration

hashtagAWS Route53:

hashtagVerify DNS:

hashtagTLS Certificate Setup

hashtagUsing cert-manager for Public Certificates

hashtagConfigure Ingress

hashtagBasic Configuration

hashtagAdvanced Configuration Options

hashtagMultiple Path Configuration

hashtagCustom Annotations

hashtagApply Configuration

hashtagInitial Deployment

hashtagUpdate Existing Deployment

hashtagVerify Setup

hashtag1. Check Ingress Resources

hashtag2. Verify TLS Configuration

hashtag3. Test Connectivity

hashtagTroubleshooting

hashtagCommon Issues and Solutions

hashtag1. Certificate Issues

hashtag2. Ingress Controller Issues

hashtag3. Network Issues