Ingress Controllers¶
Ingress controller configuration and management for external traffic routing in the RCIIS platform.
Overview¶
Ingress controllers manage external access to services in Kubernetes clusters, providing HTTP and HTTPS routing, SSL termination, and load balancing capabilities.
NGINX Ingress Controller¶
Primary Ingress Solution¶
The NGINX Ingress Controller serves as the primary ingress solution for the RCIIS platform, providing robust traffic management and advanced routing capabilities.
Key Features: - HTTP/HTTPS traffic routing - SSL/TLS termination - Load balancing algorithms - Rate limiting and DDoS protection - Authentication integration - WebSocket and gRPC support
Configuration Location¶
- Path:
apps/infra/ingress-nginx/ - Chart: Official ingress-nginx Helm chart
- Environments: Local, Testing, Staging
Deployment Configuration¶
Helm Values:
controller:
replicaCount: 2
service:
type: LoadBalancer
loadBalancerIP: 172.18.255.200 # MetalLB for local
config:
use-forwarded-headers: "true"
compute-full-forwarded-for: "true"
ssl-redirect: "true"
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
Traffic Routing Patterns¶
Host-Based Routing¶
Multiple Applications:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: multi-app-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
tls:
- hosts:
- api.devops.africa
- app.devops.africa
secretName: multi-app-tls
rules:
- host: api.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nucleus-api
port:
number: 80
- host: app.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-app
port:
number: 80
Path-Based Routing¶
API Versioning:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api-versioned-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
rules:
- host: api.devops.africa
http:
paths:
- path: /v1(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-v1-service
port:
number: 80
- path: /v2(/|$)(.*)
pathType: Prefix
backend:
service:
name: api-v2-service
port:
number: 80
Advanced Features¶
Authentication Integration¶
OAuth2 Proxy:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: protected-app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.devops.africa/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.devops.africa/oauth2/start?rd=$escaped_request_uri"
spec:
rules:
- host: protected.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: protected-service
port:
number: 80
Rate Limiting¶
Traffic Control:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rate-limited-api
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rate-limit-rpm: "100"
nginx.ingress.kubernetes.io/rate-limit-connections: "10"
nginx.ingress.kubernetes.io/rate-limit-window: "1m"
spec:
rules:
- host: api.devops.africa
http:
paths:
- path: /api/public
pathType: Prefix
backend:
service:
name: public-api
port:
number: 80
Custom Error Pages¶
Error Handling:
apiVersion: v1
kind: ConfigMap
metadata:
name: custom-error-pages
namespace: ingress-nginx
data:
404.html: |
<!DOCTYPE html>
<html>
<head><title>Page Not Found</title></head>
<body>
<h1>404 - Page Not Found</h1>
<p>The requested resource was not found.</p>
</body>
</html>
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app-with-custom-errors
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/custom-http-errors: "404,503"
nginx.ingress.kubernetes.io/default-backend: error-pages-service
spec:
rules:
- host: app.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
SSL/TLS Configuration¶
Certificate Management¶
Automatic Certificate Provisioning:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auto-ssl-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- secure.devops.africa
secretName: secure-app-tls
rules:
- host: secure.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: secure-service
port:
number: 80
SSL Passthrough¶
End-to-End SSL:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ssl-passthrough
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- backend.devops.africa
rules:
- host: backend.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: https-backend
port:
number: 443
Load Balancing¶
Algorithm Configuration¶
Load Balancing Methods:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: load-balanced-app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri"
nginx.ingress.kubernetes.io/load-balance: "ewma"
spec:
rules:
- host: balanced.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: balanced-service
port:
number: 80
Session Affinity¶
Sticky Sessions:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sticky-session-app
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/affinity-mode: "persistent"
nginx.ingress.kubernetes.io/session-cookie-name: "route"
nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
spec:
rules:
- host: sticky.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: stateful-service
port:
number: 80
Monitoring and Observability¶
Metrics Collection¶
Prometheus Integration:
# ServiceMonitor for NGINX metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: ingress-nginx-metrics
namespace: ingress-nginx
spec:
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
endpoints:
- port: prometheus
interval: 30s
path: /metrics
Access Logging¶
Log Configuration:
controller:
config:
log-format-upstream: |
$remote_addr - $remote_user [$time_local] "$request"
$status $body_bytes_sent "$http_referer"
"$http_user_agent" $request_length $request_time
[$proxy_upstream_name] $upstream_addr
$upstream_response_length $upstream_response_time
$upstream_status $req_id
enable-access-log: "true"
access-log-path: "/var/log/nginx/access.log"
Alternative Ingress Controllers¶
Traefik (Alternative)¶
Configuration Example:
# Traefik ingress resource
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: traefik-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: default-auth@kubernetescrd
spec:
rules:
- host: traefik.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
AWS ALB (Cloud)¶
AWS Load Balancer Controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: aws-alb-ingress
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account:certificate/cert-id
spec:
rules:
- host: aws.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app-service
port:
number: 80
Performance Optimization¶
Connection Optimization¶
Performance Tuning:
controller:
config:
worker-processes: "auto"
worker-connections: "1024"
worker-rlimit-nofile: "65536"
keep-alive-requests: "100"
upstream-keepalive-connections: "50"
proxy-buffer-size: "4k"
proxy-buffers-number: "8"
Caching Configuration¶
Response Caching:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cached-content
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-cache-valid: "200 302 10m"
nginx.ingress.kubernetes.io/proxy-cache-valid: "404 1m"
spec:
rules:
- host: cached.devops.africa
http:
paths:
- path: /static
pathType: Prefix
backend:
service:
name: static-content
port:
number: 80
Security Configuration¶
Security Headers¶
HTTP Security Headers:
controller:
config:
add-headers: "ingress-nginx/security-headers"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: security-headers
namespace: ingress-nginx
data:
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Content-Security-Policy: "default-src 'self'"
IP Whitelisting¶
Access Control:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: admin-access
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
spec:
rules:
- host: admin.devops.africa
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin-service
port:
number: 80
Troubleshooting¶
Common Issues¶
503 Service Unavailable:
# Check service endpoints
kubectl get endpoints <service-name> -n <namespace>
# Check backend pod status
kubectl get pods -l app=<app-label> -n <namespace>
# Check ingress configuration
kubectl describe ingress <ingress-name> -n <namespace>
SSL Certificate Issues:
# Check certificate status
kubectl get certificate -n <namespace>
# Check certificate secret
kubectl describe secret <tls-secret> -n <namespace>
# Test certificate
openssl s_client -connect <domain>:443 -servername <domain>
Diagnostic Commands¶
# Check ingress controller logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller
# Check ingress controller status
kubectl get pods -n ingress-nginx
# Test ingress rules
curl -H "Host: <domain>" http://<ingress-ip>/
# Check metrics
kubectl get --raw /metrics | grep nginx
For detailed NGINX Ingress Controller configuration, refer to the official documentation.