Add on: Ingress

This addon adds an NGINX Ingress Controller for MicroK8s. It is enabled by running the command:

microk8s enable ingress

With the Ingress addon enabled, a HTTP/HTTPS ingress rule can be created with an Ingress resource. For example:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: http-ingress
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: some-service
          servicePort: 80

Additionally, the ingress addon can be configured to expose TCP and UDP services by editing the nginx-ingress-tcp-microk8s-conf and nginx-ingress-udp-microk8s-conf ConfigMaps respectively, and then exposing the port in the Ingress controller.

For example, here a Redis service is exposed via TCP:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-ingress-tcp-microk8s-conf
  namespace: ingress
data:
  6379: "default/redis:6379"
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: nginx-ingress-microk8s-controller
  namespace: ingress
spec:
  template:
    spec:
      containers:
      - name: nginx-ingress-microk8s
        ports:
        - containerPort: 80
        - containerPort: 443
        - name: proxied-tcp-6379
          containerPort: 6379
          hostPort: 6379
          protocol: TCP

Wondering what will be recommended way to have microk8s service multiple wildcard https subdomains, e.g. *.dev.contoso.com, *.stage.contoso.com

At moment it seems to be impossible without heavily changing internals

We recently merged a PR [1] that would allow you to set the default-ssl-certificate [2] via a secret while enabling the ingress add-on:

microk8s enable ingress:default-ssl-certificate=namespace/secret_name

This work is on latest/edge and will be officially out with the 1.19 release.

[1] https://github.com/ubuntu/microk8s/pull/1231
[2] https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate

Yes but this one going to work only if we have single wildcard certificate per cluster, e.g. if I have *.dev.contoso.com indeed I can use it as default one with proposed default-ssl-certificate setting which is awesome and at least solves half of problem

The problem still persists if cluster is serving multiple wildcard domains, e.g. *.dev.contoso.com, *.stage.contoso.com - we can not use any of them as deafult cert

So at moment it seems that the easiest way will be ho have N clusters where N is number of wildcard certificates or hack ingress

[REQUEST] Will you please add the name and namespace of Ingress’s ConfigMap to the document?

I finally found that name nginx-load-balancer-microk8s-conf though. If the name appeared on the document, we wouldn’t have to look for the command line options of the controller.