NGINX Kubernetes Ingress Controller | Examples (GKE)ΒΆ
Included below are several examples of NGINX Ingress Controller deployments. It is recommended that you progress through building on top of each other. Going this way highlights the lifecycle of container-based services that will evolve.
The VirtualServer and VirtualServerRoute resources are new load-balancing configurations introduced in release 1.5 as an alternative to the Ingress resource. The resources enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as Custom Resources.
A custom resource is an extension of the Kubernetes API that is not necessarily available in a default Kubernetes installation. It represents a customization of a particular Kubernetes installation. However, many core Kubernetes functions are now built using custom resources, making Kubernetes more modular.
Custom resources can appear and disappear in a running cluster through dynamic registration, and cluster admins can update custom resources independently of the cluster itself. Once a custom resource is installed, users can create and access its objects using kubectl, just as they do for built-in resources like Pods.
NGINX Ingress Controller Examples:
Basic: This is a simple layer 7 routing ingress, taking our EXTERNAL-IP address and moving clients to Arcadia Application
HTTPS: Layer 7 routing ingress with TLS, TLS secret is stored in Kubernetes as a TLS secret
HTTPS with Active Monitors: HTTPS + Active Health Monitors to Pods
HTTPS with Active Monitors, Caching: HTTPS + Active Health Monitors + Caching for site content
Basic
Create NGINX Ingress Controller with Basic HTTP:
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: arcadia spec: host: $nginx_ingress upstreams: - name: arcadia-main service: arcadia-main port: 80 - name: arcadia-app2 service: arcadia-app2 port: 80 - name: arcadia-app3 service: arcadia-app3 port: 80 routes: - path: / action: pass: arcadia-main - path: /app2 action: pass: arcadia-app2 - path: /app3 action: pass: arcadia-app3 EOF
Example:
NGINX Dashboard should be updated reflecting the new services discovered
NGINX Dashboard URL:
http://stats.arcadia.local/dashboard.html
Example:
Arcadia application is now exposed through the NGINX Ingress Controller on HTTP!
NGINX Ingress Controller URL:
http://arcadia.local/
Example:
HTTPS
Note
There is no change to the Dashboard when using HTTPS. However, the Ingress will now listen on both port 80 and port 443
TLS Secrets stored in Kubernetes can be referenced with NGINX Ingress Controller. First, we need to install them into Kubernetes.
Step 1. Create Kubernetes TLS Secret
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: arcadia-secret type: kubernetes.io/tls data: tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== EOF
Step 2. Create NGINX Ingress Controller with HTTPS:
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: arcadia spec: host: $nginx_ingress tls: secret: arcadia-secret upstreams: - name: arcadia-main service: arcadia-main port: 80 - name: arcadia-app2 service: arcadia-app2 port: 80 - name: arcadia-app3 service: arcadia-app3 port: 80 routes: - path: / action: pass: arcadia-main - path: /app2 action: pass: arcadia-app2 - path: /app3 action: pass: arcadia-app3 EOF
Arcadia application is now exposed through the NGINX Ingress Controller on HTTPS!
NGINX Ingress Controller URL:
https://arcadia.local/
orhttp://arcadia.local/
HTTPS with Active Monitors
NGINX Plus can periodically check the health of upstream servers by sending special health-check requests to each server and verifying the correct response.
Create NGINX Ingress Controller with HTTPS with Active Monitors:
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: arcadia spec: host: $nginx_ingress tls: secret: arcadia-secret redirect: enable: true upstreams: - name: arcadia-main service: arcadia-main port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" - name: arcadia-app2 service: arcadia-app2 port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" - name: arcadia-app3 service: arcadia-app3 port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" routes: - path: / action: pass: arcadia-main - path: /api/ action: pass: arcadia-app2 - path: /app3/ action: pass: arcadia-app3 EOF
Example:
NGINX Dashboard should be updated reflecting the active monitors
NGINX Dashboard URL:
http://stats.arcadia.local/dashboard.html#upstreams
Example:
Arcadia application is now exposed through the NGINX Ingress Controller only on HTTP with monitors!
NGINX Ingress Controller URL:
https://arcadia.local/
HTTPS with Active Monitors, Caching
A content cache sits in between a client and an origin server, and saves copies of all the content it sees. If a client requests content that the cache has stored, it returns the content directly without contacting the origin server. This improves performance as the content cache is closer to the client and more efficiently uses the application servers because they do not have to generate pages from scratch each time.
Step 1. Create NGINX Ingress Controller Caching Path:
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - kind: ConfigMap apiVersion: v1 metadata: name: nginx-config namespace: nginx-ingress data: http-snippets : | proxy_cache_path /var/tmp/a levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=60m use_temp_path=off; EOF
Example:
Step 2. NGINX Dashboard should be updated with the cache location
Example:
Step 3. Create NGINX Ingress Controller with HTTPS with Active Monitors, Caching:
In the terminal window, copy the below text and paste+enter:
cat << EOF | kubectl apply -f - apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata: name: arcadia spec: server-snippets: | proxy_ignore_headers X-Accel-Expires Expires Cache-Control; proxy_cache_valid any 30s; host: $nginx_ingress tls: secret: arcadia-secret redirect: enable: true upstreams: - name: arcadia-main service: arcadia-main port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" - name: arcadia-app2 service: arcadia-app2 port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" - name: arcadia-app3 service: arcadia-app3 port: 80 healthCheck: enable: true port: 8080 interval: 20s jitter: 3s fails: 5 passes: 5 statusMatch: "! 500" routes: - path: / location-snippets: | proxy_cache my_cache; add_header X-Cache-Status \$upstream_cache_status; action: pass: arcadia-main - path: /api/ action: pass: arcadia-app2 - path: /app3/ action: pass: arcadia-app3 EOF
Example:
Arcadia application is now exposed through the NGINX Ingress Controller only on HTTP with monitors and caching!
NGINX Ingress Controller URL:
https://arcadia.local/
The fun does not need to stop yet!
The NGINX product team creates several examples of using NGINX VirtualServers, Ingress, and Configmaps, all of the examples in the nginxinc GitHub repository will also work in this environment.
NGINX Examples have all been completed
At this point, as good stewards of automation, the next step is the destruction of the environment.
Proceed to NGINX Kubernetes Ingress Controller | Destruction (GKE)