Today we’ll setup an ingress rule using Contour. You can follow this guide to setup Contour ingress controller on your K8s cluster.
First, we’ll create a simple Ingress rule to handle plain HTTP requests to our service for us.
Simple HTTP Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: http-ingress
spec:
ingressClassName: contour
rules:
- host: "example.org"
http:
paths:
- backend:
service:
name: app-svc
port:
number: 8181
path: /
pathType: Prefix
By applying this Ingress rule, Contour will be notified and will command Envoy to setup required configuration on each Envoy pod to be able to redirect traffic destined to example.org
to any pod behind app-svc:8181
service.
To check if everything is set, I’m using Kubectl’s beautiful port-forward capability, but you probably can just point to one of your workers or load balancer workers and get results:
Note: I’m doing this because my workers 443 and 80 ports were used already and I could not deploy Envoy with hostPort
enabled in each Pod.
kubectl -n projectcontour port-forward --address 0.0.0.0 svc/envoy 80:80
Once we’re finished with HTTP, we can setup a HTTPS Ingress rule.
HTTPS Ingress
But how do we setup an HTTPS endpoint? What if we wanted to reach our lovely example.org
website or app, securely?
We can simply provide a secret containing our TLS certificates to Ingress rule to be able to serve HTTPS.
As the TLS termination docs say, the TLS secret must be a Secret of type kubernetes.io/tls
. This means that it must contain keys named tls.crt
and tls.key
that contain the certificate and private key to use for TLS, in PEM format.
You can use your own self-signed certificate. I’ve create one using this guide.
Once you got the certificates, run command below to create a Secret:
kubectl create secret tls my-certificate --cert=tls.crt --key=tls.key
Now that we have our TLS Secret, we can create our Ingress rule:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: http-ingress
spec:
ingressClassName: contour
tls:
- hosts:
- "example.org"
secretName: "my-certificate"
rules:
- host: "example.org"
http:
paths:
- backend:
service:
name: app-svc
port:
number: 8181
path: /
pathType: Prefix
Now, let’s test if our website uses HTTPS protocol:
kubectl -n projectcontour port-forward --address 0.0.0.0 svc/envoy 443:443
Yeah, everything works flawlessly.
Next steps
You can follow this post to setup HTTPProxy, Contour’s feature-rich alternative to Ingress object.