Category: Kubernetes

Posted on

Haproxy means never needing to say “oh yeah, port”

After a not insignificant amount of time, I finally figured out how to use ingress controllers with Kubernetes. What this meant in the short term was no longer having to use NodePort entries, which map one service to one port (usually above 30000).  Nope, now http(s) services could all run through a single gate (or ingress, as it’s aptly named).

Finally working, I had an http ingress set up on port 30500, and it has been working really well. Kubernetes will not run exposed services on anything outside of the 30k port range, so I kept having to add :30500 to all of my entries.

Tonight I added haproxy on the kubernetes hosts, which maps 80 to 30500.  Unsurprisingly, it works beautifully.  Now I can run to that instead if I so choose, and only use 30500 when I’m diagnosing things.

Progress!

Posted on

Ingress controllers

So, I think I finally figured out how to do an ingress controller. Noting here for posterity.

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/namespace.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/default-backend.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/configmap.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/tcp-services-configmap.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/udp-services-configmap.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/rbac.yaml \
    | kubectl apply -f -

curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/with-rbac.yaml \
    | kubectl apply -f -
curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/provider/baremetal/service-nodeport.yaml \
    | kubectl apply -f -

That gets the base install completed. Create tls certs with the following:

kubectl create secret tls host-secret --key /tmp/tls.key --cert /tmp/tls.crt

Where the name is unique, and set paths.

Then start with this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: foo-tls
 namespace: default
spec:
 tls:
 - hosts:
 - my-first-host.com
 secretName: host-secret
 - hosts:
 - bar.baz.com
# this assumes a second ssl cert has been added
 secretName: barbaz
 rules:
 - host: foo.bar.com
 http:
 paths:
 - backend:
 serviceName: http-svc
# this should point to the listener port for the service
# and not the pod directly
 servicePort: 80
 path: /
 - host: bar.baz.com
 http:
 paths:
 - backend:
 serviceName: nginx
 servicePort: 80
 path: /