Ingress and MetalLb
Ingress is a very useful component for having a common entrypoint for multiple services. We will use Ingress together with MetalLb which serves as a replacement for cloud-based LoadBalancers. In a typical cloud environment all incoming traffic will flow into a kubernetes cluster from the LoadBalancer and MetalLb is a compatible replacement for non-cloud installations.
Data flow will be
Nginx Dashboard
Internet -> LoadBalancer -> Ingress -> service
Preparation
cd ~/homekube/src/ingress
A pwd
should now show something like /home/mykube/k8s/ingress
.
Make sure you have installed Helm before you proceed.
Installation
We will setup own namespaces for metallb and ingress-nginx to allow an easier maintenance later. Microk8s default installation tends to install many add-ons in the ‘kube-system’ namespace. That makes it harder later if it turns out that the default installation needs to be modified or extended.
kubectl create namespace metallb-system
kubectl apply -f metallb-config.yaml
helm install metallb --version=0.12.0 -n metallb-system stable/metallb
These commands are a helm based replacements for microk8s LoadBalancer enablement microk8s enable metallb
.
If you need to reconfigure the default portrange 192.168.1.200-192.168.1.201
please
edit metallb-config.yaml
to match your environment.
Next we’ll install ingress-nginx. The notable difference to microk8s enable ingress
is that this configuration
prepares ingress for later usage of scraping metrics and provide some traffic visualisation.
That wasn’t easy to extend when using microk8s version.
kubectl create namespace ingress-nginx
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install nginx-helm -n ingress-nginx --version=4.0.6 \
-f ingress-helm-values.yaml \
ingress-nginx/ingress-nginx
Configuration
Next we configure the dashboard service. If you have already configured Apache2 or Nginx reverse proxies
this may be a bit familiar for you. The manifest type is Ingress
and
the noticeable difference is that configuration is done through annotations.
Read more about
Ingress configuration.
There is a long list of
available annotations.
Reference of
embedded variables
We accept https incoming traffic, then unwrap it and wrap it again in https to forward it to the kubernetes dashboard.
It is an important detail that the Ingress manifest must be defined in the same namespace as the service it references
e.g. namespace: kubernetes-dashboard
.
cd ~/homekube/src/dashboard
kubectl apply -f ingress-dashboard.yaml
In your local browser open https://192.168.1.200
Dashboard now opens via Ingress in addition to the previous configuration.
Note that we did not provide a certificate so far.
Ingress will present your browser a Kubernetes Ingress controller Fake Certificate
certificate that is different from the one presented by the dashboard service and
the default dashboard certificate. Although Chrome again shows the NET::ERR_CERT_AUTHORITY_INVALID
error it will now show a Proceed to 192.168.1.200 (unsafe)
option.
Next steps
Lets improve the dashboard and remove the annoying token login.