13 Installing and Configuring Ingress Controller
An Ingress controller is a load balancer that enables simple host or URL-based HTTO routing.
This chapter includes the following topics:
- Kubernetes Services
The Kubernetes services are created as part of the Ingress deployment. - Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment. - Creating a Kubernetes Namespace
The Kubernetes namespace is used to store the Ingress controller. - Creating a Registry Secret
The nginx Ingress controller is obtained from the container registry on GitHub. To download the image on demand, you should create a registry secret with your GitHub credentials. - Adding the Ingress Image to the Helm Repository
Use thehelm
commands to add the nginx container image to the Helm repository. - Installing an Ingress Controller to Support HTTPS/HTTP and LDAPS/LDAP
When you create an Ingress controller, it will support HTTP and/or HTTPS traffic. If you terminate the SSL traffic behind a load balancer, there is no need to enable the HTTPS traffic.
Parent topic: Configuring the Enterprise Deployment
Kubernetes Services
The Kubernetes services are created as part of the Ingress deployment.
Table 13-1 Kubernetes Services
Service Name | Type | Service Port | Mapped Port |
---|---|---|---|
|
NodePort |
80 443 |
30777 30443 |
These are the ports you will use to interact with the controller.
Parent topic: Installing and Configuring Ingress Controller
Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.
Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.
Table 13-2 The Variables to be Changed
Variable | Sample Value | Description |
---|---|---|
<INGRESSNS> |
|
The name of the Ingress namespace. |
<GIT_USER> |
|
The name of the user to log in to GitHub. |
<GIT_TOKEN> |
|
The git login token. |
<WORKDIR> |
|
The working directory for Ingress. |
<INGRESS_SERVICE_TYPE> |
|
The type of Ingress service type to create. Options are |
<INGRESS_NAME> |
|
An arbitrary name for the controller. |
<INGRESS_REPLICAS> |
|
The number of copies of the Ingress controller you want to start.
For highly available implementations, this value should be
|
<INGRESS_HTTP_K8> |
30777 |
The Kubernetes service port you want to use for HTTP communications. |
<INGRESS_HTTPS_K8> |
|
The Kubernetes service port you want to use for HTTPS communications. |
<LDAPNS> |
|
The namespace where the LDAP directory is running. |
<LDAP_K8> |
|
The Kubernetes port you want to use to expose the Ingress LDAP traffic. |
<LDAPS_K8> |
|
The Kubernetes port you want to use to expose the Ingress LDAPS traffic. |
<OUD_POD_PREFIX> |
|
The prefix used in the name of the service in the LDAP namespace to which you want to send traffic. |
<USE_PROM> |
|
Set to |
Parent topic: Installing and Configuring Ingress Controller
Creating a Kubernetes Namespace
The Kubernetes namespace is used to store the Ingress controller.
kubectl create namespace <INGRESSNS>
kubectl create namespace ingressns
Parent topic: Installing and Configuring Ingress Controller
Creating a Registry Secret
gitcred
in the Ingress
namespace, use the following
command:kubectl create secret docker-registry gitcred –n <INGRESSNS> --docker-server=ghcr.io --docker-username=<GIT_USER> --docker-password="<GIT_TOKEN>"
kubectl create secret docker-registry gitcred –n ingressns --docker-server=ghcr.io --docker-username=mygituser --docker-password="mytoken"
Parent topic: Installing and Configuring Ingress Controller
Adding the Ingress Image to the Helm Repository
Use the helm
commands to add the nginx
container image to the Helm repository.
helm repo add stable https://kubernetes.github.io/ingress-nginx
helm repo update
Parent topic: Installing and Configuring Ingress Controller
Installing an Ingress Controller to Support HTTPS/HTTP and LDAPS/LDAP
When you create an Ingress controller, it will support HTTP and/or HTTPS traffic. If you terminate the SSL traffic behind a load balancer, there is no need to enable the HTTPS traffic.
If you are deploying only Oracle Identity Management Microservices and do not want to place them behind an existing Oracle HTTP server deployment, you would either configure Ingress for end-to-end SSL or terminate SSL at the Ingress.
If you are deploying an Oracle LDAP directory inside a Kubernetes cluster, you can optionally expose the LDAP and LDAPS traffic through Ingress. If you have no direct requirement to access the LDAP directory outside of the Kubernetes cluster, Oracle recommends that you do not enable this option.
Perform the following steps to create an Ingress controller:
- Creating a Self-Signed Certificate for SSL Requests
- Creating a Kubernetes Secret with the Certificate
- Creating the Helm Override File
- Creating the Ingress Controller
- Validating the Ingress Controller
Parent topic: Installing and Configuring Ingress Controller
Creating a Self-Signed Certificate for SSL Requests
You may skip this step if you have purchased your own CA certificate, or if you are placing Ingress behind an Oracle HTTP Server.
If you want to use a self-signed certificate, run the following commands:
Creating a Kubernetes Secret with the Certificate
Load the certificate into a Kubernetes secret. If you have purchased your own certificate, you can use that instead.
kubectl -n <INGRESSNS> create secret tls common-tls-cert --key /workdir/ingress.key --cert /workdir/ingress.crt
Creating the Helm Override File
- Creating an Ingress controller for HTTP and HTTPS terminated traffic.
- Creating an Ingress controller for HTTP, HTTPS, and LDAP traffic.
Create a file called ingress_override.yaml
in your working
directory. Depending on your deployment, the content of the file will be different.
This section includes the following topics:
Types of Ingress Service
You can create two types of Ingress services.
If you create a NodePort
service, then interactions with the Ingress
controller are through the Kubernetes worker nodes and the associated Kubernetes service port
assigned to the controller.
If you create a LoadBalancer
service, then the Ingress controller
is assigned to an IP address. Interactions with the Ingress controller are directly through
this IP address.
Creating a LoadBalancer
type service is dependent on the flavor of
Kubernetes you are using. You should refer to your platform's documentation to create this
service.
LoadBalancer
service on Oracle Cloud Infrastructure:
- Using the example files (see Override File for HTTP and HTTPS and Override File for HTTP, HTTPS, LDAP, and LDAPS), make the following changes:
Set type: LoadBalancer
- Under the
LoadBalancer
type, add the following lines:annotations: service.beta.kubernetes.io/oci-load-balancer-internal: "true" service.beta.kubernetes.io/oci-load-balancer-subnet1: "ocid1.subnet.oc1.iad....kdi3ds.....vqri332zdrr3rm" service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "10" service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
- Set
oci-load-balancer-subnet1
to the OCID of the subnet in which the Kubernetes nodes reside.
Parent topic: Creating the Helm Override File
Override File for HTTP and HTTPS
imagePullSecrets:
- name: gitcred
controller:
name: <INGRESS_NAME>
ingressClassResource:
name: nginx
config:
use-forwarded-headers: true
enable-underscores-in-headers: true
wildcardTLS:
secret: tls-cert
replicaCount: <INGRESS_REPLICAS>
service:
type: <INGRESS_SERVICE_TYPE>
nodePorts:
http: <INGRESS_HTTP_K8>
https: <INGRESS_HTTPS_K8>
admissionWebhooks:
enabled: false
metrics:
enabled: <USE_PROM>
serviceMonitor:
enabled: <USE_PROM>
Parent topic: Creating the Helm Override File
Override File for HTTP, HTTPS, LDAP, and LDAPS
Helm
file for HTTP and HTTPS terminated traffic with the addition of exposing the LDAP/LDAPS directory services:imagePullSecrets:
- name: gitcred
tcp:
1389: <LDAPNS>/<OUD_POD_PREFIX>-oud-ds-rs-lbr-ldap:ldap
1636: <LDAPNS>/<OUD_POD_PREFIX>-oud-ds-rs-lbr-ldap:ldaps
controller:
name: <INGRESS_NAME>
ingressClassResource:
name: nginx
config:
use-forwarded-headers: true
enable-underscores-in-headers: true
wildcardTLS:
secret: tls-cert
replicaCount: <INGRESS_REPLICAS>
service:
type: <INGRESS_SERVICE_TYPE>
nodePorts:
http: <INGRESS_HTTP_K8>
https: <INGRESS_HTTPS_K8>
tcp:
1389: <LDAP_K8>
1636: <LDAPS_K8>
admissionWebhooks:
enabled: false
metrics:
enabled: <USE_PROM>
serviceMonitor:
enabled: <USE_PROM>
tls-cert
is the name of the SSL certificate you created earlier. See Creating a Self-Signed Certificate for SSL Requests.edg-<OUD_POD_PREFIX>-ds-rs-lbr-ldap
is the name of the service in the LDAP namespace to which you want to send the traffic.
Parent topic: Creating the Helm Override File
Creating the Ingress Controller
helm
command specifying the override
file you created
earlier:helm install nginx-ingress -n ingressns \
--values /workdir/INGRESS/ingress_override.yaml \
stable/ingress-nginx
Where nginx-ingress
is the Ingress namespace. For
example: ingressns
.
- Enter the text of the first step here.
- Enter the text of the second step here.
Validating the Ingress Controller
To validate that the Ingress controller has been successfully created, use the following command:
kubectl get all,ingress -n <INGRESSNS>
kubectl get all,ingress -n ingressns
The output appears as follows:
NAME READY STATUS RESTARTS AGE
pod/nginx-ingress-ingress-nginx-idmedg-bd4fdc996-794l5 1/1 Running 0 28h
pod/nginx-ingress-ingress-nginx-idmedg-bd4fdc996-qqvqf 1/1 Running 0 28h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/nginx-ingress-ingress-nginx-idmedg NodePort 10.107.148.40 <none> 80:30777/TCP,443:30443/TCP,1389:31389/TCP,1636:31636/TCP 28h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/nginx-ingress-ingress-nginx-idmedg 2/2 2 2 28h
NAME DESIRED CURRENT READY AGE
replicaset.apps/nginx-ingress-ingress-nginx-idmedg-bd4fdc996 2 2 2 28h