is it possible to deploy an ingress controller (nginx) without a public ip address?
Thanks!
1
-
@sokolata-- what cloud provider are you using and which ingress controller are you referring to?– SouravCommented Jul 5, 2018 at 15:45
Add a comment
|
2 Answers
is it possible to deploy an ingress controller (nginx) without a public ip address?
Without question, yes, if the Ingress controller's Service is of type: NodePort then the Ingress controller's private IP address is every Node's IP address, on the port(s) pointing to :80 and :443 of the Service. Secretly, that's exactly what is happening anyway with type: LoadBalancer, just with the extra sugar coating of the cloud provider mapping between the load balancer's IP address and the binding to the Node's ports.
So, to close that loop: if you wished to have a 100% internal Ingress controller, then use a hostNetwork: true and bind the Ingress controller's ports: to be the host's port 80 and 443; then, make a DNS (A record|CNAME record) for each virtual-host that resolve to the address of every Node in the cluster, and poof: 100% non-Internet-facing Ingress controller.
-
3you can also expose the nginx-controller service as type LoadBalancer with an internal IP if your cloud provider supports it, such as GCP Commented Jan 16, 2019 at 22:29
-
@PatrickW I am looking for something similar. Would you please tell more about this approach? Is it an annotation or helm variable in the stable chart or editing the yaml files directly? Commented Aug 22, 2019 at 11:12
-
1On GCP, you add an annotation to the service type LoadBalancer, cloud.google.com/load-balancer-type: "internal". You'll need to recreate the service though, you can't edit the service already in place Commented Aug 22, 2019 at 11:21
-
Thanks. This command
helm install stable/nginx-ingress --set controller.service.annotations."cloud\.google\.com/load-balancer-type"="Internal"worked for me :) Commented Aug 22, 2019 at 12:19 -
Internal IP ingress in Google Kubernetes Engine
Assuming you wanna deploy an ingress controller (nginx) without a public ip address in GKE. Below is what worked for me.
1. Install Nginx-Ingress controller with appropriate annotations
Use stable/nginx-ingress helm chart to install ingress-nginx controller in out GKE cluster.
As per this GCP document we can create a Load Balancer resource with cloud.google.com/load-balancer-type: "Internal" annotation to create an internal Load Balancer. Run the below command to add the controller to GKE.
helm install --name ingress-controller stable/nginx-ingress \
--set controller.service.annotations."cloud\.google\.com/load-balancer-type"="Internal"
2. Deploy ingress resources using this controller
To make Ingress resources use the controller, add the kubernetes.io/ingress.class: nginx annotation to your ingress resources.
An example Ingress resource using nginx-ingress controller looks something like below:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: nginx-test
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: my-service-1
servicePort: 80
path: /tasks
- backend:
serviceName: my-service-2
servicePort: 80
path: /
Now using kubectl command you can see the assigned IP to your ingress resource is an internal IP address.
3. In case you wanna use TLS too (Optional)
Add the below to your YAML manifest:
...
rules:
...
tls:
- hosts:
- www.example.com
secretName: my-certs
In the above example my-certs is a Kubernetes secret containing the server key, certificate and CA certificate created using the below command:
kubectl create secret generic my-certs --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
For an example above keys and certificates are created with a sample hostname referring to this Medium Article.
Hope this helps.
answered Dec 11, 2019 at 7:14
