Enable Ingress
Prerequisites
Ingress Controller
The ingress controller manages external access to services in your cluster. Choose the appropriate installation method based on your environment:
For AWS:
kubectl apply -f https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.3/deploy/static/provider/aws/deploy.yaml This deployment:
Creates an AWS Network Load Balancer
Sets up required security groups
Configures health checks automatically
Enables cross-zone load balancing
For Other Cloud Providers:
kubectl apply -f https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.3/deploy/static/provider/cloud/deploy.yamlVerify Installation:
# Check pods
kubectl get pods -n ingress-nginx
# Check services
kubectl get svc -n ingress-nginx
# View detailed configuration
kubectl describe svc ingress-nginx-controller -n ingress-nginxExpected Output:
NAME READY STATUS RESTARTS AGE
ingress-nginx-controller-7d6d84f4f-xw9k9 1/1 Running 0 2mCertificate Manager
Cert-manager handles certificate management and issuance:
Install cert-manager:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yamlVerify all components are running:
kubectl get pods -n cert-manager
# Expected output:
NAME READY STATUS RESTARTS AGE
cert-manager-5d7f97b46d-xxxx 1/1 Running 0 1m
cert-manager-cainjector-xxxx 1/1 Running 0 1m
cert-manager-webhook-xxxx 1/1 Running 0 1mCheck the CRDs installation:
kubectl get crds | grep cert-managerDNS Configuration
Option 1: Using External-DNS (Recommended)
External-DNS automates DNS record management:
Install External-DNS:
# For AWS
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install external-dns bitnami/external-dns \
--set provider=aws \
--set aws.region=us-east-1 \
--set policy=syncRequired IAM permissions (AWS):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*"
]
},
{
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
}
]
}Option 2: Manual DNS Configuration
For manual configuration:
Get Load Balancer details:
kubectl get svc -n ingress-nginx ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'Create DNS records:
AWS Route53:
Log into AWS Console
Navigate to Route53 → Hosted Zones
Create A record:
Name:
<SITE_INGRESS.EXAMPLE.COM>Type: A
Alias: Yes
Target: Load Balancer DNS
Routing Policy: Simple
Verify DNS:
dig +short <SITE_INGRESS.EXAMPLE.COM>
nslookup <SITE_INGRESS.EXAMPLE.COM>TLS Certificate Setup
Using cert-manager for Public Certificates
Create Certificate Issuer Configuration:
# cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod-issuer
namespace: observo-client
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod-secret
solvers:
- http01:
ingress:
ingressClassName: nginx
---
# certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: observo-site-ingress-cert
namespace: observo-client
spec:
dnsNames:
- <SITE_INGRESS.EXAMPLE.COM>
duration: 2160h0m0s # 90 days
issuerRef:
kind: ClusterIssuer
name: letsencrypt-prod-issuer
renewBefore: 360h0m0s # 15 days
secretName: observo-site-ingress-cert-secretApply and verify:
# Apply configurations
kubectl apply -f cluster-issuer.yaml
kubectl apply -f certificate.yaml
# Check issuer status
kubectl get clusterissuer letsencrypt-prod-issuer -o wide
# Monitor certificate request
kubectl get certificaterequest -n observo-client
# Check certificate status
kubectl get certificate -n observo-clientTroubleshoot certificate issues:
# Check certificate events
kubectl describe certificate observo-site-ingress-cert -n observo-client
# Check cert-manager logs
kubectl logs -n cert-manager -l app=cert-managerConfigure Ingress
Basic Configuration
Update your helm values file with ingress settings:
global:
dataplaneIngress:
enabled: true
className: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
more_set_headers "Access-Control-Allow-Credentials: true";
more_set_headers "Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS";
hosts:
- host: <SITE_INGRESS.EXAMPLE.COM>
paths:
- path: /ob-http-source
pathType: Prefix
port: "10001"
tls:
- secretName: observo-site-ingress-cert-secret
hosts:
- <SITE_INGRESS.EXAMPLE.COM>Advanced Configuration Options
Multiple Path Configuration
hosts:
- host: <SITE_INGRESS.EXAMPLE.COM>
paths:
- path: /ob-http-source
pathType: Prefix
port: "10001"
- path: /metrics
pathType: Prefix
port: "8686"Custom Annotations
Common useful annotations:
annotations:
# SSL Redirect
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# Backend Protocol
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# Proxy Settings
nginx.ingress.kubernetes.io/proxy-body-size: "8m"
# Timeouts
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"Apply Configuration
Initial Deployment
helm upgrade --install -n observo-client observo-site \
oci://public.ecr.aws/e4z0a1h1/observo-site \
--create-namespace \
--values=<updated-values-file>.yamlUpdate Existing Deployment
# Review changes first
helm upgrade --dry-run --debug -n observo-client observo-site \
oci://public.ecr.aws/e4z0a1h1/observo-site \
--values=<updated-values-file>.yaml
# Apply changes
helm upgrade -n observo-client observo-site \
oci://public.ecr.aws/e4z0a1h1/observo-site \
--values=<updated-values-file>.yamlVerify Setup
1. Check Ingress Resources
# Get ingress status
kubectl get ingress -n observo-client
# Detailed ingress information
kubectl describe ingress -n observo-client
# Check ingress controller logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controllerExpected output:
NAME CLASS HOSTS ADDRESS PORTS AGE
observo-site-ingress nginx site.yourdomain.com 203.0.113.1 80, 443 2m2. Verify TLS Configuration
# Check certificate status
kubectl get certificate -n observo-client
# View certificate details
kubectl describe certificate -n observo-client
# Verify secret creation
kubectl get secret observo-site-ingress-cert-secret -n observo-client3. Test Connectivity
# Test HTTP redirect
curl -I http://<SITE_INGRESS.EXAMPLE.COM>/health
# Test HTTPS endpoint
curl -v --cacert ./ca.crt https://<SITE_INGRESS.EXAMPLE.COM>/health
# Test with specific host header
curl -H "Host: <SITE_INGRESS.EXAMPLE.COM>" https://<LOAD_BALANCER_IP>/healthTroubleshooting
Common Issues and Solutions
1. Certificate Issues
# Check certificate request status
kubectl get certificaterequest -n observo-client
kubectl describe certificaterequest -n observo-client
# Verify ACME challenges
kubectl get challenges -n observo-client
kubectl describe challenge -n observo-clientCommon problems and solutions:
DNS Configuration: Ensure DNS records are properly propagated
ACME Challenge: Check if the challenge path is accessible
Rate Limits: Let's Encrypt has rate limits, verify you haven't exceeded them
2. Ingress Controller Issues
# Check ingress controller status
kubectl get pods -n ingress-nginx
kubectl describe pod -n ingress-nginx -l app.kubernetes.io/component=controller
# View controller configuration
kubectl get configmap -n ingress-nginx ingress-nginx-controller -o yamlCommon problems and solutions:
Port Conflicts: Verify service port mappings
SSL Configuration: Check TLS secret references
Backend Communication: Verify service endpoint health
3. Network Issues
# Test network policies
kubectl get networkpolicies -n observo-client
# Check service endpoints
kubectl get endpoints -n observo-client
# Test internal communication
kubectl run -i --tty --rm debug --image=busybox -n observo-client -- wget -qO- http://service-nameFor additional configuration options and advanced scenarios, refer to the Helm Values Reference.
Last updated
Was this helpful?