Skip to content

Ingress

One of the two ways of publishing applications to the public internet is using the Ingress Kubernetes object . This allows forwarding traffic to Kubernetes via UTHPC managed proxy servers, controlling and enforcing best practices, monitoring and security.

UTHPC team provides this interface through HTTP proxy cluster called web.cs.ut.ee. If you need to publish an app/software, please contact UTHPC support together with the name/port of your services, and the domain you would like to use.

Considerations for using Ingress

The benefit of using Ingress is that security, best practices and monitoring is managed by the UTHPC infrastructure team. For example, in this case, TLS certificates are managed by them.

But this cannot happen without downsides - having to initially work with UTHPC team to setup the routes, DNS records and TLS certificates.

Also, this proxy solution only works for HTTP and HTTPS traffic, other protocols cannot be forwarded using this technology. Please use the LoadBalancer Service for that.

There's also the possibility of requesting and using public IP addresses for direct connectivity to your services with LoadBalancer Service type, which is documented here.

Setting up ingress traffic for a domain

Setting up Ingress capability for a specific domain requires specific activities:

  1. Pointing the domain name to web.cs.ut.ee.
  2. Configuring the routes inside UTHPC proxy servers to direct the domain's traffic to Kubernetes.
  3. Request a TLS certificate from a public certificate authority.
  4. Install TLS certificates for the domain name.

Important

If the domain name used is managed by UTHPC (for example *.hpc.ut.ee), UTHPC infrastructure team directs the domain to HTTP Proxy cluster web.cs.ut.ee, installs HTTPS certificates on the proxy, and routes the traffic through the proxies to Kubernetes. It's also possible to enable any specific settings on the proxy level.

Other domains need to be pointed at the web.cs.ut.ee proxy servers by domain owners, with either A or CNAME DNS records. In this case, a Let's Encrypt certificate is requested and used for the domain name.

Setting up Ingress object in Kubernetes

Once the previous steps have been completed, you can start using this domain in Kubernetes, by publishing your service using an Ingress object, using the NGINX ingress controller:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  namespace: <namespace>
  annotations:
    cert-manager.io/cluster-issuer: vault-hpc-issuer # (1)
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: "<domain>" # (2)
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: application-service
            port:
              number: 80
  tls: 
  - hosts:
    - <domain> # (2)
    secretName: <domain> # (2)
  1. Use this issuer to provide network level security between UTHPC proxy servers and the Kubernetes ingress controller.
  2. This should be your domain name. The domain is used in first-come-first-serve fashion. Using the domain name as secretName is recommended, but in case of multiple TLS hosts, you can also change that.