Ingress¶
Danger
Kubernetes SIG Network and the Security Response Committee have announced the upcoming retirement of Ingress NGINX, the Ingress controller currently used in our Kubernetes infrastructure. Best-effort maintenance will continue until March 2026. We will evaluate alternative solutions and keep you informed about the migration timeline.
One of the two ways of publishing applications to the public internet is using the Ingress Kubernetes object . This allows forwarding traffic to Kubernetes via UTHPC managed proxy servers, controlling and enforcing best practices, monitoring and security.
UTHPC team provides this interface through HTTP proxy cluster called proxy.hpc.ut.ee. If you need to publish an app/software, please contact UTHPC support together with the name/port of your services, and the domain you would like to use.
Considerations for using Ingress
The benefit of using Ingress is that security, best practices and monitoring is managed by the UTHPC infrastructure team. For example, in this case, TLS certificates are managed by them.
But this cannot happen without downsides - having to initially work with UTHPC team to setup the routes, DNS records and TLS certificates.
Also, this proxy solution only works for HTTP and HTTPS traffic, other protocols cannot be forwarded using this technology. Please use the LoadBalancer Service for that.
There's also the possibility of requesting and using public IP addresses for direct connectivity to your services with LoadBalancer Service type, which is documented here.
Setting up ingress traffic for a domain¶
Please refer to our HAProxy documentation for setting up the ingress for Kubernetes through our proxy servers.
Setting up Ingress object in Kubernetes¶
Once the previous steps have been completed, you can start using this domain in Kubernetes, by publishing your service using an Ingress object, using the default NGINX Ingress controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress
namespace: <namespace>
annotations:
cert-manager.io/cluster-issuer: vault-hpc-issuer # (1)
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: "<domain>" # (2)
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: application-service
port:
number: 80
tls:
- hosts:
- <domain> # (2)
secretName: <domain> # (2)
- Use this issuer to provide network level security between UTHPC proxy servers and the Kubernetes ingress controller.
- This should be your domain name. The domain is used in first-come-first-serve fashion. Using the domain name as
secretNameis recommended, but in case of multipleTLShosts, you can also change that.
Ingress object with user authentication¶
You can restrict access to your domain and set up user authentication. This authentication method is available for university of Tartu users. Set up the Ingress using the Pomerium Ingress controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: application-ingress
namespace: <namespace>
annotations:
cert-manager.io/cluster-issuer: vault-hpc-issuer
ingress.pomerium.io/allow_websockets: 'true'
ingress.pomerium.io/pass_identity_headers: 'true'
ingress.pomerium.io/timeout: 5m
ingress.pomerium.io/allow_any_authenticated_user: "true"
spec:
ingressClassName: pomerium-hpc # (1)
rules:
- host: "<domain>" # (2)
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: application-service
port:
number: 80 # (3)
tls:
- hosts:
- "<domain>"
secretName: tls-"<domain>"
- Use this ingress Class when you want to have authentication for your domain.
- This should be your domain name. The domain is used in first-come-first-serve fashion.
- This is the port number your service exposes.
The previous example gives access to all UT users. You can also give access to only certain users. Remove the ingress.pomerium.io/allow_any_authenticated_user: "true" annotation and add this:
ingress.pomerium.io/policy: |
allow:
or:
- user:
is: user1@example.com
Other examples of policies can be found in the documentation.