Ingress setup (Kubernetes)
Ingress exposes HTTP and HTTPS routes from outside the cluster to the Hyperscale Compliance services running within the cluster. For more information, refer to the Ingress official documentation.
The proxy pod runs an Nginx HTTP server which must be the only target of the Ingress rules, redirecting all external traffic to it. Out of the box, the pod accepts requests over HTTPs on port 443, using a self-signed certificate.
After setting up an Ingress, TLS/SSL will be terminated by the HTTP server/load balancer/proxy implementing the Ingress, and not Hyperscale Compliance.
Ingress controller installation and route creation
An Ingress controller is required to continue. Refer to the Microk8s, Amazon AWS EKS, or Microsoft Azure AKS section below to show the corresponding Ingress controller installation and Ingress route creation instructions.
Microk8s
Ingress controller installation
An ingress controller can be installed by enabling the ingress addon on the Microk8s cluster. It is enabled by running the command:
microk8s enable ingress
This addon adds an NGINX Ingress Controller for MicroK8s.
Ingress route creation
Next, define the ingress rules for routing traffic to the Hyperscale Compliance services. Create a file named ingress.yaml with the following configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hyperscale-ingress
namespace: hyperscale-services
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: proxy
port:
number: 443This ingress configuration directs all HTTP traffic arriving at the root path (/) to the proxy service on port 443, using HTTPS as the backend protocol.
Applying the ingress configuration
With both the ingress.yaml files created, apply these configurations to your MicroK8s cluster using the following commands:
kubectl apply -f ingress.yamlAlternatively, you can apply the above ingress configuration with the following single kubectl command:
kubectl create ingress hyperscale-ingress --namespace=hyperscale-services --rule="/*=proxy:443" --annotation=nginx.ingress.kubernetes.io/backend-protocol=HTTPS --annotation=nginx.ingress.kubernetes.io/proxy-body-size=50m --annotation=nginx.ingress.kubernetes.io/proxy-connect-timeout=600 --annotation=nginx.ingress.kubernetes.io/proxy-read-timeout=600 --annotation=nginx.ingress.kubernetes.io/proxy-send-timeout=600These commands register the ingress class and resource with your Kubernetes cluster, enabling the Nginx Ingress Controller to start routing external traffic to your Hyperscale Compliance services.
Amazon AWS EKS
Ingress controller installation
Please follow these instructions to install an AWS load balancer controller (An Ingress controller that configures AWS application load balancers).
Ingress route creation
Create a file named ingress.yaml, replacing the value of certificate-arn in the example below with the ARN of the certificate you want to use for the HTTPs endpoint.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hyperscale-ingress
namespace: hyperscale-services
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/xxxxxxx
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: proxy
port:
number: 443Alternatively, you may use certificate discovery to have the ALB select a matching certificate from AWS Certificate manager based on the hostname.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hyperscale-ingress
namespace: hyperscale-services
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
tls:
- hosts:
- www.example.com
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: proxy
port:
number: 443Applying the ingress configuration
Apply the Ingress resource with kubectl apply:
kubectl apply -f ingress.yamlThis creates an application load balancer, which forwards all traffic to Hyperscale Compliance.
Microsoft Azure AKS
Ingress controller installation
Please follow these instructions to install an Nginx Ingress controller. A simple setup can be installed with these commands
NAMESPACE=ingress-basic
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx \
--create-namespace \
--namespace $NAMESPACE \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz Ingress route creation
Create a file named ingress.yaml.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hyperscale-ingress
namespace: hyperscale-services
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
ingressClassName: nginx
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: proxy
port:
number: 443 Apply the Ingress resource with kubectl apply:
kubectl apply -f ingress.yamlTo configure TLS, see Use TLS with an Ingress controller.