Testing - NGINX Ingress Controller for Kubernetes

Testing - NGINX Ingress Controller for Kubernetes === 1. https://github.com/kubernetes/ingress-nginx 2. https://kubernetes.github.io/ingress-nginx/deploy/#aws > In AWS we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of Type=LoadBalancer[2]. --- 1. Create the mandatory resources for Nginx Ingress in the EKS cluster. ``` $ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.43.0/deploy/static/provider/aws/deploy.yaml namespace/ingress-nginx created serviceaccount/ingress-nginx created configmap/ingress-nginx-controller created clusterrole.rbac.authorization.k8s.io/ingress-nginx created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx created role.rbac.authorization.k8s.io/ingress-nginx created rolebinding.rbac.authorization.k8s.io/ingress-nginx created service/ingress-nginx-controller-admission created service/ingress-nginx-controller created deployment.apps/ingress-nginx-controller created validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission created serviceaccount/ingress-nginx-admission created clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission created clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created role.rbac.authorization.k8s.io/ingress-nginx-admission created rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission created job.batch/ingress-nginx-admission-create created job.batch/ingress-nginx-admission-patch created $ kubectl -n ingress-nginx get po NAME READY STATUS RESTARTS AGE ingress-nginx-admission-create-md6xs 0/1 Completed 0 24m ingress-nginx-admission-patch-p8qcv 0/1 Completed 2 24m ingress-nginx-controller-84dcb9867d-fqx84 1/1 Running 0 24m ``` 2. Deploy the sample echo-server. * https://kubernetes.github.io/ingress-nginx/examples/PREREQUISITES/#test-http-service ``` $ kubectl create -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml deployment.apps/http-svc created service/http-svc created $ kubectl get svc,pod NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/http-svc ClusterIP 10.100.199.205 <none> 80/TCP 9s service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 29d NAME READY STATUS RESTARTS AGE pod/http-svc-64f85bcc78-xgb28 1/1 Running 0 9s ``` 3. Create the Ingress manifest. ``` $ cat ./example-ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: name: example-ingress labels: app: http-svc annotations: nginx.ingress.kubernetes.io/rewrite-target: / spec: rules: - http: paths: - path: / backend: serviceName: http-svc servicePort: 80 $ kubectl apply -f ./example-ingress.yaml ``` Veriy that the NLB is ready. ``` $ kubectl get po,svc,ingress NAME READY STATUS RESTARTS AGE pod/http-svc-64f85bcc78-xgb28 1/1 Running 0 7m22s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/http-svc ClusterIP 10.100.199.205 <none> 80/TCP 7m22s service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 29d NAME CLASS HOSTS ADDRESS PORTS AGE ingress.extensions/example-ingress <none> * ab619ba3a6bbf4505bff9075c5a7625d-e3061a5fdb61215d.elb.ap-northeast-1.amazonaws.com 80 4m15s ``` Test the NLB via curl command. ``` $ curl ab619ba3a6bbf4505bff9075c5a7625d-e3061a5fdb61215d.elb.ap-northeast-1.amazonaws.com Hostname: http-svc-64f85bcc78-xgb28 Pod Information: node name: ip-192-168-63-175.ap-northeast-1.compute.internal pod name: http-svc-64f85bcc78-xgb28 pod namespace: default pod IP: 192.168.47.110 Server values: server_version=nginx: 1.12.2 - lua: 10010 Request Information: client_address=192.168.58.216 method=GET real path=/ query= request_version=1.1 request_scheme=http request_uri=http://ab619ba3a6bbf4505bff9075c5a7625d-e3061a5fdb61215d.elb.ap-northeast-1.amazonaws.com:8080/ Request Headers: accept=*/* host=ab619ba3a6bbf4505bff9075c5a7625d-e3061a5fdb61215d.elb.ap-northeast-1.amazonaws.com user-agent=curl/7.61.1 x-forwarded-for=18.179.171.139 x-forwarded-host=ab619ba3a6bbf4505bff9075c5a7625d-e3061a5fdb61215d.elb.ap-northeast-1.amazonaws.com x-forwarded-port=80 x-forwarded-proto=http x-real-ip=18.179.171.139 x-request-id=da47e55e5512e7913fbf9e32d7842c76 x-scheme=http Request Body: -no body in request- ``` View how the Ingress Nginx controller work. ``` $ kubectl -n ingress-nginx exec -it ingress-nginx-controller-84dcb9867d-fqx84 -- /bin/bash bash-5.0$ cat nginx.conf ... location / { set $namespace "default"; set $ingress_name "example-ingress"; set $service_name "http-svc"; set $service_port "80"; set $location_path "/"; rewrite_by_lua_block { lua_ingress.rewrite({ force_ssl_redirect = false, ssl_redirect = true, force_no_ssl_redirect = false, use_port_in_redirects = false, }) balancer.rewrite() plugins.run() } # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any # will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)` # other authentication method such as basic auth or external auth useless - all requests will be allowed. #access_by_lua_block { #} header_filter_by_lua_block { lua_ingress.header() plugins.run() } body_filter_by_lua_block { } log_by_lua_block { balancer.log() monitor.call() plugins.run() } port_in_redirect off; set $balancer_ewma_score -1; set $proxy_upstream_name "default-http-svc-80"; set $proxy_host $proxy_upstream_name; set $pass_access_scheme $scheme; ... ```