Docker & Kubernetes : Nginx Ingress Controller on Minikube

On a Mac, we cannot use the NodePort service directly because of the way Docker networking is implemented. Instead, we must use the Minikube tunnel.

To use the Minikube tunnel, simply run the following command:

It is built around the Kubernetes Ingress resource, using a ConfigMap to store the NGINX configuration.

The following diagram shows how we can access using the Kubernetes service:

As we can see, we use http://node-ip:port but what we want is to access our pod via https://myApp. This is where the Ingress comes into the picture:

The Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. An Ingress may be configured to give Services externally-reachable URLs, load balance traffic, terminate SSL / TLS, and offer name-based virtual hosting.

For more details on Ingress, please check out Kubernetes Documentation/ Concepts/ Services, Load Balancing, and Networking/ Ingress.

The Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer, though it may also configure our edge router or additional frontends to help handle the traffic:

If we use a Cloud provider's load balancer, we don't have to implement it by ourselves.

We'll use Minikube which runs a single-node (or multi-node with minikube 1.10.1 or higher) Kubernetes cluster inside a VM on our laptop:

$ minikube version
minikube version: v0.30.0

$ minikube start
Starting local Kubernetes v1.10.0 cluster...
Starting VM...
Getting VM IP address...
Moving files into cluster...
Setting up certs...
Connecting to cluster...
Setting up kubeconfig...
Starting cluster components...
Kubectl is now configured to use the cluster.
Loading cached images from config file.

$ minikube status
minikube: Running
cluster: Running
kubectl: Correctly Configured: pointing to minikube-vm at 192.168.99.100

$ kubectl config current-context
minikube

$ kubectl get pods -n kube-system
NAME                                    READY   STATUS    RESTARTS   AGE
coredns-c4cffd6dc-xjr2v                 1/1     Running   2          25m
etcd-minikube                           1/1     Running   0          7m
kube-addon-manager-minikube             1/1     Running   2          25m
kube-apiserver-minikube                 1/1     Running   0          7m
kube-controller-manager-minikube        1/1     Running   0          7m
kube-dns-86f4d74b45-4d72t               3/3     Running   7          26m
kube-proxy-6vq42                        1/1     Running   0          6m
kube-scheduler-minikube                 1/1     Running   2          26m
kubernetes-dashboard-6f4cfc5d87-7f8vl   1/1     Running   5          25m
storage-provisioner                     1/1     Running   6          25m

The Ingress Controller is created when we run the "minikube addons enable ingress". It creates an "nginx-ingress-controller" pod in the "kube-system" namespace.

$ minikube addons enable ingress
ingress was successfully enabled

After enabled the ingress, we can see that the nginx-ingress-controller is in the list of pods:

$ kubectl get pods -n kube-system
NAME                                        READY   STATUS        RESTARTS   AGE
coredns-c4cffd6dc-xjr2v                     1/1     Running   2          30m
default-http-backend-544569b6d7-fqczz       1/1     Running   0          2m
etcd-minikube                               1/1     Running   0          11m
kube-addon-manager-minikube                 1/1     Running   2          29m
kube-apiserver-minikube                     1/1     Running   0          11m
kube-controller-manager-minikube            1/1     Running   0          11m
kube-dns-86f4d74b45-4d72t                   3/3     Running   7          30m
kube-proxy-6vq42                            1/1     Running   0          10m
kube-scheduler-minikube                     1/1     Running   2          30m
kubernetes-dashboard-6f4cfc5d87-7f8vl       1/1     Running   5          30m
nginx-ingress-controller-8566746984-9bxbh   1/1     Running   0          2m
storage-provisioner                         1/1     Running   6          30m

We'll deploy the following gcr.io/kubernetes-e2e-test-images/echoserver:

$ docker run -p 8087:8080 gcr.io/kubernetes-e2e-test-images/echoserver:2.2
Generating self-signed cert
Generating a 2048 bit RSA private key
............................+++
.....................................................................................................................+++
writing new private key to '/certs/privateKey.key'
-----
Starting nginx
172.17.0.1 - - [04/Dec/2018:19:49:30 +0000] "GET / HTTP/1.1" 200 857 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0"
172.17.0.1 - - [04/Dec/2018:19:49:30 +0000] "GET /favicon.ico HTTP/1.1" 200 755 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0"

Here is the e2e-deploy.yaml for deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: e2e
spec:
  replicas: 2
  selector:
    matchLabels:
      app: e2e
  template:
    metadata:
      labels:
        app: e2e
    spec:
      containers:
      - name: http-echo
        image: gcr.io/kubernetes-e2e-test-images/echoserver:2.2
        ports:
        - containerPort: 8080

$ kubectl apply -f e2e-deploy.yaml
deployment.extensions/e2e created

$ kubectl get deployments
NAME   DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
e2e    2         2         2            0           11s

$ kubectl get pods
NAME                   READY   STATUS    RESTARTS   AGE
e2e-6b844f5bf9-l6v8v   1/1     Running   0          3m
e2e-6b844f5bf9-w6fhk   1/1     Running   0          3m

At this time, though the e2e app container is running, we cannot access the app. So, we need to deploy the service. As we can see from the deployment yaml, the port that the application is running on is 8080: "note that containerPort: 8080". So, let's expose our pods using Services (e2e-service.yaml).

In the ServiceSpec yaml below, we're using type: nodePort though it's not the type of we want to expose an app in this post.

Note that Services can be exposed in different ways by specifying a type in the ServiceSpec, and the default is ClusterIP which exposes the Service on an internal IP in the cluster. However, this type makes the Service only reachable from within the cluster.

apiVersion: v1
kind: Service
metadata:
  name: e2e-svc
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 8080
    nodePort: 30033
    protocol: TCP
    name: http
  selector:
    app: e2e

Here we set three ports. Let's see how they are different:

1. port: This is the port number which makes a service visible to other services running within the same K8s cluster. In other words, in case a service wants to invoke another service running within the same Kubernetes cluster, it will be able to do so using port specified against "port" in the service spec file.
2. targetPort: This port is the port on the POD where the service is running.
3. nodePort: This port is the port on which the service can be accessed from external users using Kube-Proxy.

So, with our yaml, the port is 80 which represents that the service can be accessed by other services in the cluster. The targetPort 8080 is our service that is actually running on port 8080 on pods. The nodePort 30033 represents that our service can be accessed via kube-proxy.

Let's get our url:

$ kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
e2e-svc      NodePort    10.98.228.133   <none>        8088:30033/TCP   9s
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP          5h

$ minikube service e2e-svc --url
http://192.168.99.100:30033

Let's modify our service (e2e-service.yaml) to make it work with Ingress:

apiVersion: v1
kind: Service
metadata:
  name: e2e-svc
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    app: e2e

Note that we dropped the type of "NodePort".

Here is our Ingress Rules (e2e-ingress.yam):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: e2e-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: \"false\"
spec:
  rules:
  - http:
      paths:
      - path: /e2e-test
        backend:
          serviceName: e2e-svc
          servicePort: 80

$ kubectl apply -f e2e-ingress.yaml 
ingress.extensions/e2e-ingress created

$ kubectl get ing 
NAME          HOSTS   ADDRESS   PORTS   AGE
e2e-ingress   *                 80      19s

The setup allows us to access the service e2e-svc via the /e2e-test. Since we didn't specify a host, then we can access it using the clusterIP which is the default type of exposing a Service.

The nginx.ingress.kubernetes.io/ssl-redirect annotation is used because we are not specifying a host. When no host is specified, then the default-server is hit. The default-server is configured with a self-signed certificate, so the traffic redirects http to https (nginx-ingress-controller always redirect to HTTPS regardless of Ingress annotations if host was not specified).

Now that the Ingress rules are configured, we can test our e2e app by sending some requests:

We may get a warning from a browser saying something like "not secure ...". If we add an exception, we get the response from the browser.

Note: on my mac, I could not get the same response from curl:

$ curl --insecure 192.168.99.100/e2e-test
<html>
<head><title>308 Permanent Redirect</title></head>
<body bgcolor="white">
<center><h1>308 Permanent Redirect</h1></center>
<hr><center>nginx/1.15.3</center>
</body>
</html>

We can check how nginx configures the application routing rules:

$ kubectl get pods -n kube-system
NAME                                        READY   STATUS    RESTARTS   AGE
...
nginx-ingress-controller-8566746984-9bxbh   1/1     Running   0          7h
...


$ kubectl exec -it \
> -n kube-system nginx-ingress-controller-8566746984-9bxbh \
> cat /etc/nginx/nginx.conf

# Configuration checksum: 11152342504644643882

# setup custom paths that do not require root access
pid /tmp/nginx.pid;

daemon off;

worker_processes 2;

...

Reference: Getting Started with Kubernetes Ingress-Nginx on Minikube

$ minikube dashboard
Opening http://127.0.0.1:50198/api/v1/namespaces/kube-system/services/http:kubernetes-dashboard:/proxy/ in your default browser...

Please check out Docker & Kubernetes : Nginx Ingress Controller for Dashboard service on Minikube.

Docker & K8s

1. Docker install on Amazon Linux AMI
2. Docker install on EC2 Ubuntu 14.04
3. Docker container vs Virtual Machine
4. Docker install on Ubuntu 14.04
5. Docker Hello World Application
6. Nginx image - share/copy files, Dockerfile
7. Working with Docker images : brief introduction
8. Docker image and container via docker commands (search, pull, run, ps, restart, attach, and rm)
9. More on docker run command (docker run -it, docker run --rm, etc.)
10. Docker Networks - Bridge Driver Network
11. Docker Persistent Storage
12. File sharing between host and container (docker run -d -p -v)
13. Linking containers and volume for datastore
14. Dockerfile - Build Docker images automatically I - FROM, MAINTAINER, and build context
15. Dockerfile - Build Docker images automatically II - revisiting FROM, MAINTAINER, build context, and caching
16. Dockerfile - Build Docker images automatically III - RUN
17. Dockerfile - Build Docker images automatically IV - CMD
18. Dockerfile - Build Docker images automatically V - WORKDIR, ENV, ADD, and ENTRYPOINT
19. Docker - Apache Tomcat
20. Docker - NodeJS
21. Docker - NodeJS with hostname
22. Docker Compose - NodeJS with MongoDB
23. Docker - Prometheus and Grafana with Docker-compose
24. Docker - StatsD/Graphite/Grafana
25. Docker - Deploying a Java EE JBoss/WildFly Application on AWS Elastic Beanstalk Using Docker Containers
26. Docker : NodeJS with GCP Kubernetes Engine
27. Docker : Jenkins Multibranch Pipeline with Jenkinsfile and Github
28. Docker : Jenkins Master and Slave
29. Docker - ELK : ElasticSearch, Logstash, and Kibana
30. Docker - ELK 7.6 : Elasticsearch on Centos 7
31. Docker - ELK 7.6 : Filebeat on Centos 7
32. Docker - ELK 7.6 : Logstash on Centos 7
33. Docker - ELK 7.6 : Kibana on Centos 7
34. Docker - ELK 7.6 : Elastic Stack with Docker Compose
35. Docker - Deploy Elastic Cloud on Kubernetes (ECK) via Elasticsearch operator on minikube
36. Docker - Deploy Elastic Stack via Helm on minikube
37. Docker Compose - A gentle introduction with WordPress
38. Docker Compose - MySQL
39. MEAN Stack app on Docker containers : micro services
40. MEAN Stack app on Docker containers : micro services via docker-compose
41. Docker Compose - Hashicorp's Vault and Consul Part A (install vault, unsealing, static secrets, and policies)
42. Docker Compose - Hashicorp's Vault and Consul Part B (EaaS, dynamic secrets, leases, and revocation)
43. Docker Compose - Hashicorp's Vault and Consul Part C (Consul)
44. Docker Compose with two containers - Flask REST API service container and an Apache server container
45. Docker compose : Nginx reverse proxy with multiple containers
46. Docker & Kubernetes : Envoy - Getting started
47. Docker & Kubernetes : Envoy - Front Proxy
48. Docker & Kubernetes : Ambassador - Envoy API Gateway on Kubernetes
49. Docker Packer
50. Docker Cheat Sheet
51. Docker Q & A #1
52. Kubernetes Q & A - Part I
53. Kubernetes Q & A - Part II
54. Docker - Run a React app in a docker
55. Docker - Run a React app in a docker II (snapshot app with nginx)
56. Docker - NodeJS and MySQL app with React in a docker
57. Docker - Step by Step NodeJS and MySQL app with React - I
58. Installing LAMP via puppet on Docker
59. Docker install via Puppet
60. Nginx Docker install via Ansible
61. Apache Hadoop CDH 5.8 Install with QuickStarts Docker
62. Docker - Deploying Flask app to ECS
63. Docker Compose - Deploying WordPress to AWS
64. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI EC2 type)
65. Docker - WordPress Deploy to ECS with Docker-Compose (ECS-CLI Fargate type)
66. Docker - ECS Fargate
67. Docker - AWS ECS service discovery with Flask and Redis
68. Docker & Kubernetes : minikube
69. Docker & Kubernetes 2 : minikube Django with Postgres - persistent volume
70. Docker & Kubernetes 3 : minikube Django with Redis and Celery
71. Docker & Kubernetes 4 : Django with RDS via AWS Kops
72. Docker & Kubernetes : Kops on AWS
73. Docker & Kubernetes : Ingress controller on AWS with Kops
74. Docker & Kubernetes : HashiCorp's Vault and Consul on minikube
75. Docker & Kubernetes : HashiCorp's Vault and Consul - Auto-unseal using Transit Secrets Engine
76. Docker & Kubernetes : Persistent Volumes & Persistent Volumes Claims - hostPath and annotations
77. Docker & Kubernetes : Persistent Volumes - Dynamic volume provisioning
78. Docker & Kubernetes : DaemonSet
79. Docker & Kubernetes : Secrets
80. Docker & Kubernetes : kubectl command
81. Docker & Kubernetes : Assign a Kubernetes Pod to a particular node in a Kubernetes cluster
82. Docker & Kubernetes : Configure a Pod to Use a ConfigMap
83. AWS : EKS (Elastic Container Service for Kubernetes)
84. Docker & Kubernetes : Run a React app in a minikube
85. Docker & Kubernetes : Minikube install on AWS EC2
86. Docker & Kubernetes : Cassandra with a StatefulSet
87. Docker & Kubernetes : Terraform and AWS EKS
88. Docker & Kubernetes : Pods and Service definitions
89. Docker & Kubernetes : Service IP and the Service Type
90. Docker & Kubernetes : Kubernetes DNS with Pods and Services
91. Docker & Kubernetes : Headless service and discovering pods
92. Docker & Kubernetes : Scaling and Updating application
93. Docker & Kubernetes : Horizontal pod autoscaler on minikubes
94. Docker & Kubernetes : From a monolithic app to micro services on GCP Kubernetes
95. Docker & Kubernetes : Rolling updates
96. Docker & Kubernetes : Deployments to GKE (Rolling update, Canary and Blue-green deployments)
97. Docker & Kubernetes : Slack Chat Bot with NodeJS on GCP Kubernetes
98. Docker & Kubernetes : Continuous Delivery with Jenkins Multibranch Pipeline for Dev, Canary, and Production Environments on GCP Kubernetes
99. Docker & Kubernetes : NodePort vs LoadBalancer vs Ingress
100. Docker & Kubernetes : MongoDB / MongoExpress on Minikube
101. Docker & Kubernetes : Load Testing with Locust on GCP Kubernetes
102. Docker & Kubernetes : MongoDB with StatefulSets on GCP Kubernetes Engine
103. Docker & Kubernetes : Nginx Ingress Controller on Minikube
104. Docker & Kubernetes : Setting up Ingress with NGINX Controller on Minikube (Mac)
105. Docker & Kubernetes : Nginx Ingress Controller for Dashboard service on Minikube
106. Docker & Kubernetes : Nginx Ingress Controller on GCP Kubernetes
107. Docker & Kubernetes : Kubernetes Ingress with AWS ALB Ingress Controller in EKS
108. Docker & Kubernetes : Setting up a private cluster on GCP Kubernetes
109. Docker & Kubernetes : Kubernetes Namespaces (default, kube-public, kube-system) and switching namespaces (kubens)
110. Docker & Kubernetes : StatefulSets on minikube
111. Docker & Kubernetes : RBAC
112. Docker & Kubernetes Service Account, RBAC, and IAM
113. Docker & Kubernetes - Kubernetes Service Account, RBAC, IAM with EKS ALB, Part 1
114. Docker & Kubernetes : Helm Chart
115. Docker & Kubernetes : My first Helm deploy
116. Docker & Kubernetes : Readiness and Liveness Probes
117. Docker & Kubernetes : Helm chart repository with Github pages
118. Docker & Kubernetes : Deploying WordPress and MariaDB with Ingress to Minikube using Helm Chart
119. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 2 Chart
120. Docker & Kubernetes : Deploying WordPress and MariaDB to AWS using Helm 3 Chart
121. Docker & Kubernetes : Helm Chart for Node/Express and MySQL with Ingress
122. Docker & Kubernetes : Deploy Prometheus and Grafana using Helm and Prometheus Operator - Monitoring Kubernetes node resources out of the box
123. Docker & Kubernetes : Deploy Prometheus and Grafana using kube-prometheus-stack Helm Chart
124. Docker & Kubernetes : Istio (service mesh) sidecar proxy on GCP Kubernetes
125. Docker & Kubernetes : Istio on EKS
126. Docker & Kubernetes : Istio on Minikube with AWS EC2 for Bookinfo Application
127. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part I)
128. Docker & Kubernetes : Deploying .NET Core app to Kubernetes Engine and configuring its traffic managed by Istio (Part II - Prometheus, Grafana, pin a service, split traffic, and inject faults)
129. Docker & Kubernetes : Helm Package Manager with MySQL on GCP Kubernetes Engine
130. Docker & Kubernetes : Deploying Memcached on Kubernetes Engine
131. Docker & Kubernetes : EKS Control Plane (API server) Metrics with Prometheus
132. Docker & Kubernetes : Spinnaker on EKS with Halyard
133. Docker & Kubernetes : Continuous Delivery Pipelines with Spinnaker and Kubernetes Engine
134. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-dind (docker-in-docker)
135. Docker & Kubernetes : Multi-node Local Kubernetes cluster : Kubeadm-kind (k8s-in-docker)
136. Docker & Kubernetes : nodeSelector, nodeAffinity, taints/tolerations, pod affinity and anti-affinity - Assigning Pods to Nodes
137. Docker & Kubernetes : Jenkins-X on EKS
138. Docker & Kubernetes : ArgoCD App of Apps with Heml on Kubernetes
139. Docker & Kubernetes : ArgoCD on Kubernetes cluster
140. Docker & Kubernetes : GitOps with ArgoCD for Continuous Delivery to Kubernetes clusters (minikube) - guestbook