Deploy NGINX Ingress Controller

In this section you will configure and deploy the NGINX Ingress Controller and expose it using a public Azure Load Balancer.

What You'll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments

  2. Specify the desired DNS name label for your Azure Load Balancer. This name should be globally unique in the Azure region you are using:

    root@rok-tools:~/ops/deployments# export AZURELB_DNS_NAME_LABEL=arrikto-cluster

  3. Compute the FQDN for your Azure Load Balancer based on the DNS name label:

    root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com
arrikto-cluster.eastus.cloudapp.azure.com

  4. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and use service-azurelb as base, instead of the default ingress-alb:

    bases:
#- ../ingress-alb
#- ../service-elb
- ../service-azurelb

  5. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and use the service-azurelb patch, instead of the default ingress-alb and service-alb:

    patches:
#- path: patches/ingress-alb.yaml
#- path: patches/service-alb.yaml
#- path: patches/service-elb.yaml
- path: patches/service-azurelb.yaml

  6. Enable the firewall in your Azure Load Balancer and allow access only to specific CIDRs. Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone:

    spec:
  loadBalancerSourceRanges:
  - "0.0.0.0/0"

    See also

  7. Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set the service.beta.kubernetes.io/azure-dns-label-name annotation to the desired DNS name label for your Azure Load Balancer from step 2:

    metadata:
  annotations:
    service.beta.kubernetes.io/azure-dns-label-name: "arrikto-cluster"

  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose NGINX Ingress Controller with an Azure Load Balancer"

  9. Deploy NGINX Ingress Controller:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/nginx-ingress-controller/overlays/deploy

Verify

  1. Verify that NGINX Ingress Controller is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx get pods
NAME                                        READY   STATUS    RESTARTS AGE
nginx-ingress-controller-7f74f657bd-ln59l   1/1     Running   0        1m

  2. Verify that the Load Balancer Service has an external IP:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx get service
NAME                TYPE           CLUSTER-IP  EXTERNAL-IP   PORT(S)  AGE
ingress-nginx       LoadBalancer   <none>      10.42.42.42   <none>   1m

  3. Verify that the FQDN for your Azure Load Balancer resolves to the LoadBalancer Service IP:

    root@rok-tools:~/ops/deployments# host ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com
arrikto-cluster.eastus.cloudapp.azure.com has address 10.42.42.42

Summary

You have successfully deployed the NGINX Ingress Controller, and exposed it using an Azure Load Balancer.

What's Next

The next step is to expose Istio, our service mesh.