Updated at April 15, 2024 08:50 AM

Deploying Ingress controller with TCP load balancer

The Ingress controller can be deployed in conjunction with the TCP load balancer of the VK Cloud platform. As an example, a simple demo application and an Ingress resource will be deployed to test the operation of the controller.

1. Preparatory steps

Create a Kubernetes cluster of the most current version.

When creating the cluster select the Assign external IP option.

Select other cluster settings at your discretion.
Make sure that the NGINX Ingress addon (ingress-nginx) is not installed in the cluster. For demonstration purposes, the Ingress controller will be installed manually.
Make sure that you can connect to the cluster using `kubectl'.
Install Helm if the utility is not already installed.
Install curl if the utility is not already installed.

2. Deploy demo applications

These applications will be accessed through the Ingress controller using the Ingress resource.

The tea and coffee applications from NGINX's Cafe example will be used for the demo. Each application consists of a ReplicaSet, a Deployment and a Service corresponding to that Deployment.

To deploy the demo applications:

Download the [cafe.yaml] manifest(https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v2.4.0/examples/ingress-resources/complete-example/cafe.yaml).

Apply this manifest to the cluster:


kubectl apply -f ./cafe.yaml

To check the status of the application components, run the command:


kubectl get svc,rs,deployment -n default

The output of the command should be similar to this one:


NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGEservice/coffee-svc   ClusterIP   ...              <none>        80/TCP    ...service/tea-svc      ClusterIP   ...              <none>        80/TCP    ...NAME                                DESIRED   CURRENT   READY   AGEreplicaset.apps/coffee-7c86d7d67c   2         2         2       ...replicaset.apps/tea-5c457db9        3         3         3       ...NAME                     READY   UP-TO-DATE   AVAILABLE   AGEdeployment.apps/coffee   2/2     2            2           ...deployment.apps/tea      3/3     3            3           ...

3. Install Ingress Controller

When installing, select PROXY operation mode as it is necessary for full interaction with the TCP load balancer. If you install an Ingress controller without support for this protocol, the controller will not be able to handle headers that contain information about the request source.

To install an NGINX Ingress Controller with PROXY protocol support:

Add the NGINX Helm repository:

Linux/macOS

Windows


helm repo add nginx-stable https://helm.nginx.com/stablehelm repo update

Install a PROXY-enabled Ingress controller by running the command:


helm install nginx-ingress-tcp nginx-stable/nginx-ingress --set-string 'controller.config.entries.use-proxy-protocol=true' --create-namespace --namespace example-nginx-ingress-tcp

Wait until the installation of the Ingress controller is complete and the controller receives an external IP address.

To check the status of the Ingress controller, run the command:


kubectl get svc -n example-nginx-ingress-tcp

The output of the command should be similar to this one:


NAME                              TYPE           CLUSTER-IP    EXTERNAL-IP                                   PORT(S)    AGEnginx-ingress-tcp-nginx-ingress   LoadBalancer   ...           <IP address assigned to the load balancer>    ...        ...

Check if the Ingress controller is working by browsing to http://<IP address assigned to the load balancer>. If the controller is configured correctly, a page with the status of HTTP 404 will be displayed.

4. Create an Ingress resource

The Ingress resource will publish the coffee-svc and tea-svc services through the Ingress controller, thus providing access to the applications.

The following is a demonstration of how to create an Ingress resource with SSL/TLS sessions termination on the Ingress controller. If you plan to use HTTPS, session termination must be done on the controller because the TCP load balancer does not have the technical capability to terminate SSL/TLS sessions.

To create an Ingress resource:

Create a Kubernetes secret that will contain the certificate data. This will be used by the Ingress controller when handling HTTPS traffic.

This secret contains the public and private parts of the NGINX self-signed certificate, which is used to access the published applications in the cafe.example.com domain.
Download the [cafe-secret.yaml] manifest (https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v2.4.0/examples/ingress-resources/complete-example/cafe-secret.yaml).

Apply this manifest to the cluster:


kubectl apply -f ./cafe-secret.yaml

The cafe-secret secret will be created.

Check that the secret has been successfully created by running the command:
```
kubectl describe secret cafe-secret
```
The basic information about the secret will be shown.

Create an Ingress resource which will handle incoming requests to host cafe.example.com:

Download the cafe-ingress.yaml manifest.

Apply this manifest to the cluster:


kubectl apply -f ./cafe-ingress.yaml

The cafe-ingress Ingress resource will be created.

Check that the resource was successfully created by running the command:


kubectl describe ingress cafe-ingress

The output of the command should be similar to this one:


Name:             cafe-ingressLabels:           <none>Namespace:        defaultAddress:          <IP address assigned to the load balancer>Ingress Class:    nginxDefault backend:  <default>TLS:  cafe-secret terminates cafe.example.comRules:  Host              Path  Backends  ----              ----  --------  cafe.example.com                    /tea      tea-svc:80 (...)                    /coffee   coffee-svc:80 (...)

Note that the IP address assigned to Ingress must be the same as the IP address assigned to the Ingress controller. This address belongs to the VK Cloud platform's TCP balancer, which routes incoming traffic to the Ingress controller.

5. Check application availability

Check that pods named tea and coffee exist by getting a list of all pods in the default namespace:
```
kubectl get pods
```

Run the command:

Coffee

Tea


curl -k --resolve cafe.example.com:443:<Ingress IP address> https://cafe.example.com/coffee

The request should be answered by one of the two coffee pods. The response will contain the name of the pod that responded (Server name), for example:


Server address: ...:8080Server name: coffee-7c86d7d67c-zsmwzDate: ...URI: /coffeeRequest ID: ...

Receiving such responses means that the Ingress controller is configured correctly:

interacts with VK Cloud TCP load balancer;
terminates SSL\TLS sessions;
provides access to services corresponding to the deployed applications.

Delete unused resources

If the Kubernetes resources you created are no longer needed, delete them.

Linux/macOS

Windows


kubectl delete -f ./cafe-ingress.yamlkubectl delete -f ./cafe-secret.yamlkubectl delete -f ./cafe.yamlhelm uninstall nginx-ingress-tcp -n example-nginx-ingress-tcpkubectl delete namespace example-nginx-ingress-tcp

A running cluster consumes computing resources. If you no longer need it:
- stop it to use it later;
- delete it permanently.

Did not find your answer?Write to us