Add on: Ingress

This addon adds an NGINX Ingress Controller for MicroK8s. It is enabled by running the command:

microk8s enable ingress

With the Ingress addon enabled, a HTTP/HTTPS ingress rule can be created with an Ingress resource. For example:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: http-ingress
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: some-service
          servicePort: 80

Additionally, the ingress addon can be configured to expose TCP and UDP services by editing the nginx-ingress-tcp-microk8s-conf and nginx-ingress-udp-microk8s-conf ConfigMaps respectively, and then exposing the port in the Ingress controller.

For example, here a Redis service is exposed via TCP:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress-tcp-microk8s-conf
  namespace: ingress
data:
  6379: "default/redis:6379"
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: nginx-ingress-microk8s-controller
  namespace: ingress
spec:
  template:
    spec:
      containers:
      - name: nginx-ingress-microk8s
        ports:
        - containerPort: 80
        - containerPort: 443
        - name: proxied-tcp-6379
          containerPort: 6379
          hostPort: 6379
          protocol: TCP

Wondering what will be recommended way to have microk8s service multiple wildcard https subdomains, e.g. *.dev.contoso.com, *.stage.contoso.com

At moment it seems to be impossible without heavily changing internals

We recently merged a PR [1] that would allow you to set the default-ssl-certificate [2] via a secret while enabling the ingress add-on:

microk8s enable ingress:default-ssl-certificate=namespace/secret_name

This work is on latest/edge and will be officially out with the 1.19 release.

[1] https://github.com/ubuntu/microk8s/pull/1231
[2] https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Yes but this one going to work only if we have single wildcard certificate per cluster, e.g. if I have *.dev.contoso.com indeed I can use it as default one with proposed default-ssl-certificate setting which is awesome and at least solves half of problem

The problem still persists if cluster is serving multiple wildcard domains, e.g. *.dev.contoso.com, *.stage.contoso.com - we can not use any of them as deafult cert

So at moment it seems that the easiest way will be ho have N clusters where N is number of wildcard certificates or hack ingress

[REQUEST] Will you please add the name and namespace of Ingress’s ConfigMap to the document?

I finally found that name nginx-load-balancer-microk8s-conf though. If the name appeared on the document, we wouldn’t have to look for the command line options of the controller.

Hello Team,

Using the code provided in the document results in the below error:


kubectl apply -f ingress.yaml
Warning: networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.networking.k8s.io/http-ingress configured


If we change the Ingress to “networking.k8s.io/v1” it results in the below error:


kubectl apply -f ingress.yaml
error: error validating “ingress.yaml”: error validating data: [ValidationError(Ingress.spec.rules[0].http.paths[0].backend): unknown field “serviceName” in io.k8s.api.networking.v1.IngressBackend, ValidationError(Ingress.spec.rules[0].http.paths[0].backend): unknown field “servicePort” in io.k8s.api.networking.v1.IngressBackend]; if you choose to ignore these errors, turn validation off with --validate=false


What should the correct documentation for Ingress be referred too??

Thank you,
Anish

Hi, currently the nginx ingress doesn’t support the v1 networking api.

The networking.k8s.io/v1 has some breaking changes to the manifest. It is not just changing the version. We also need to upgrade the ingress controller.

For now refer to the 1.18 ingress documentation.

Apologies for any confusion.