Deploy NGINX Ingress Controller

In this section you will configure and deploy the NGINX Ingress Controller and expose it using an Application Load Balancer that will terminate TLS with an ACM certificate.

Choose one of the following options to deploy NGINX Ingress Controller:

Option 1: Deploy NGINX Ingress Controller Automatically (preferred)

Deploy NGINX Ingress Controller by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-alb-nginx
../../../../_images/eks-alb-nginx.png

Proceed to the Summary section.

Option 2: Deploy NGINX Ingress Controller Manually

If you want to deploy NGINX Ingress Controller manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{eks-alb-subnets,eks-alb-acm})
    root@rok-tools:~/ops/deployments# export EKS_ALB_SCHEME EKS_ALB_ACM_SUBDOMAIN \ > EKS_ALB_ACM_CERT
  3. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and use ingress-alb as base:

    bases: - ../ingress-alb #- ../service-elb #- ../service-azurelb #- ../service-gclb
  4. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and enable only the ingress-alb and service-alb patches:

    patches: - path: patches/ingress-alb.yaml - path: patches/service-alb.yaml #- path: patches/service-elb.yaml #- path: patches/service-azurelb.yaml #- path: patches/service-gclb.yaml
  5. Enable the firewall in your Application Load Balancer and allow access only to specific CIDRs. Choose one of the following options, based on your ALB scheme:

    Specify the list of trusted inbound CIDRs for the ALB:

    root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>

    Replace <CIDRS> with the desired value. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone. For example:

    root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS="0.0.0.0/0"

    Specify the list of trusted inbound CIDRs for the ALB:

    root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS=<CIDRS>

    Replace <CIDRS> with the desired value. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone within the VPC. For example:

    root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS="0.0.0.0/0"

    Note

    Note that, since the Application Load Balancer will be an internal one, it already accepts connections only from within the VPC. Use the trusted CIDRs as an extra access control mechanism for controlling connections from within the VPC.

    Note

    You can set multiple trusted inbound CIDRs by specifying them as a string list (comma separated list). For more information, see the official AWS Load Balancer Controller docs.

  6. Render the NGINX Ingress Controller ingress patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml.j2 \ > -o rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml
  7. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Deploy NGINX Ingress Controller"
  8. Deploy NGINX Ingress Controller:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/nginx-ingress-controller/overlays/deploy
  9. Wait until the AWS Load Balancer Controller provisions the necessary AWS resources:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n ingress-nginx NAME CLASS HOSTS ADDRESS PORTS AGE ingress-nginx alb * e53a524a-ingressnginx-ingr-1234-592794601.eu-central-1.elb.amazonaws.com 80 64d

    Troubleshooting

    The Ingress object does not get an ADDRESS.

    1. Inspect the logs of aws-load-balancer-controller deployment in the kube-system namespace:

      root@rok-tools:~/ops/deployments# kubectl logs -n kube-system deploy/aws-load-balancer-controller

      If you see a message like the following:

      "msg"="Reconciler error" "error"="failed to build LoadBalancer configuration due to retrieval of subnets failed to resolve 2 qualified subnets.

      it means that your subnets are misconfigured.

    2. Verify your subnets configuration.

  10. Obtain the address of the ALB:

    root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_HOSTNAME=$(kubectl get ingress \ > -n ingress-nginx ingress-nginx -o json \ > | jq -r '.status.loadBalancer.ingress[].hostname')
  11. Render the NGINX Ingress Controller service patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/nginx-ingress-controller/overlays/deploy/patches/service-alb.yaml.j2 \ > -o rok/nginx-ingress-controller/overlays/deploy/patches/service-alb.yaml
  12. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-alb-nginx.j2 \ > -o deploy/env.eks-alb-nginx
  13. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Deploy NGINX Ingress Controller - context"
  14. Re-apply the manifests:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/nginx-ingress-controller/overlays/deploy
  15. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/eks-alb-nginx \ > -m "Deploy NGINX Ingress Controller"

Verify

  1. Verify that NGINX Ingress Controller is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~# kubectl -n ingress-nginx get pods NAME READY STATUS RESTARTS AGE ingress-nginx-controller-7f74f657bd-ln59l 1/1 Running 0 1m
  2. Verify that the ALB Ingress has obtained an address:

    root@rok-tools:~# kubectl -n ingress-nginx get ingress NAME CLASS HOSTS ADDRESS PORT(S) AGE ingress-nginx alb * e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com 80 1m
  3. Verify that the ingress-nginx service has an external IP equal to the address of the ALB:

    root@rok-tools:~# kubectl -n ingress-nginx get service ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx ExternalName <none> e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com <none> 1m

Summary

You have successfully deployed the NGINX Ingress Controller and exposed it using an Application Load Balancer

What’s Next

The next step is to expose Istio.