Nginx Ingress Controller
Introduction
aerOS Ingress Controller serves as the single point of access for all services within an aerOS domain, routing traffic to configured containerized applications. Built on NGINX, a high-performance HTTP server and reverse proxy, it plays a crucial role in facilitating secure and seamless external traffic flow. As the entry point to all domain services, it integrates TLS termination and ensures requests are efficiently directed to the correct application components.
Features
Load Balancing: Distributes traffic across multiple backend services to ensure high availability and reliability.
TLS Termination: Handles SSL/TLS encryption and decryption, providing secure communication between clients and the aerOS Domain.
URL Routing: Routes requests based on URL paths or hostnames, allowing multiple services to be exposed under the same IP address.
Rewrite and Redirect: Supports URL rewriting and redirection, enabling flexible and dynamic routing policies.
Rate Limiting: Controls the rate of requests to prevent abuse and ensure fair usage among clients.
Custom Annotations: Allows customization of NGINX behavior using Kubernetes annotations.
Place in Architecture
aerOS NGINX Ingress Controller integrates seamlessly with the Domain, leveraging native resources such as Services, ConfigMaps, and Secrets. It operates by watching Ingress resources and dynamically configuring NGINX to route traffic accordingly.
In the architecture of an aerOS Domain, the NGINX Ingress acts as the entry point for external traffic. Positioned between the external network and internal services, it ensures requests are routed to the appropriate service based on defined rules.
The following diagram illustrates the architecture involving MetalLB and the NGINX Ingress Controller within a Domain:
+---------------------------+
| |
| External Clients |
| |
+------------+--------------+
|
|
+--------v--------+
| |
| MetalLB Load | (Advertises External IP)
| Balancer |
| |---------------------+
+--------+--------+ |
| |
| |
+--------v--------+ |
| | |
| NGINX Ingress | (TLS termination and|traffic routing)
| + | |
| Controller | |
+--------+--------+ |
| |
| |
+----------------------+---------------+ |
| | |
+-------v-------+ | |
| KrackenD | | |
| | +-------v-------+ |
+-------v-------+ | Other aerOS | |
| | Service | |
+ ---------------------+ +---------------+ |
| | |
+-------v-------+ +-------v-------+ +-------v-------+
| | | | | |
| Service A | | Service B | | Wireguard |
| (Pod) | | (Pod) | | (Pod) |
| | | | | |
+---------------+ +---------------+ +---------------+
User Guide
Prerequisites
Before installing the NGINX Ingress Controller, ensure that you have the following prerequisites:
A running aerOS Domain.
kubectl command-line tool configured to communicate with your aerOS Domain.
Helm package manager (optional, but recommended for ease of installation).
Load Balancer (Metal-lb) is needed to provide an external routable IP to aerOS Ingress
Installation
To install the NGINX Ingress Controller, follow these steps:
Install NGINX Ingress Controller using Helm:
helm upgrade --install ingress-nginx ingress-nginx \ --repo https://kubernetes.github.io/ingress-nginx \ --namespace ingress-nginx --create-namespace
Verify the installation:
kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
After deploying the Nginx Ingress resoure and controller, it automatically receives an external IP address because ingress service is configured as type LoadBalancer by default. If the cluster uses MetalLB for its bare metal infrastructure, MetalLB assigns an external IP from its pool. Alternatively, in cloud-based environments, the external IP is provided by the cloud provider’s load-balancing service. The external IP, allocated to the Ingress resource, becomes the destination for all incoming traffic, directing it to the appropriate services within the cluster.
kubectl get svc -n ingress-nginxOutput:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller LoadBalancer 10.96.56.90 10.220.2.210 80:31578/TCP,443:31600/TCP 20h
Configuration Options
The NGINX Ingress Controller offers a variety of configuration options to customize ingress resource behavior:
Annotations: Use annotations in your Ingress resources to fine-tune NGINX settings.
ConfigMap: Customize the global NGINX configuration using a ConfigMap.
TLS/SSL: Configure SSL/TLS certificates to secure your applications.
Backend Service: Define backend services and the rules for routing traffic to them.
Here is an example configuration of the Ingress Controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts:
- aerOS-domain.com
secretName: example-tls
rules:
- host: aerOS-domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-aerOS-service
port:
number: 80
Developer Guide
License
The NGINX Ingress Resource and Controller is licensed under the Apache License, Version 2.0.
Notice (Dependencies)
The NGINX Ingress Controller relies on several dependencies, including:
NGINX: High-performance HTTP server and reverse proxy.
Kubernetes: Container orchestration platform.
Helm: Package manager for Kubernetes.
For more information about the NGINX Ingress Controller, visit https://kubernetes.github.io/ingress-nginx/