Deploy NGINX Ingress Controller

In this section you will configure and deploy the NGINX Ingress Controller and expose it using a public Azure Load Balancer.

Note

We recommend that you use a new NGINX Ingress Controller dedicated for serving. In this case, proceed to follow this guide.

Otherwise, if you have exposed EKF and you wish to use the NGINX Ingress Controller you have already created, proceed to the What’s Next section.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the desired DNS name label for your Azure Load Balancer. This name should be globally unique in the Azure region you are using:

    root@rok-tools:~/ops/deployments# export SERVING_AZURELB_DNS_NAME_LABEL=arrikto-cluster-serving
  3. Compute the FQDN for your Azure Load Balancer based on the DNS name label:

    root@rok-tools:~/ops/deployments# echo ${SERVING_AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster-serving.eastus.cloudapp.azure.com
  4. Edit rok/nginx-ingress-controller-serving/overlays/deploy/kustomization.yaml and use service-azurelb as base, instead of the default arrikto:

    bases: #- ../arrikto #- ../ingress-alb #- ../service-elb - ../service-azurelb
  5. Edit rok/nginx-ingress-controller-serving/overlays/deploy/kustomization.yaml and enable the service-azurelb patch:

    patches: #- path: patches/ingress-alb.yaml #- path: patches/service-alb.yaml #- path: patches/service-elb.yaml - path: patches/service-azurelb.yaml
  6. Enable the firewall in your Azure Load Balancer and allow access only to specific CIDRs. Edit rok/nginx-ingress-controller-serving/overlays/deploy/patches/service-azurelb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone:

    spec: loadBalancerSourceRanges: - "0.0.0.0/0"
  7. Edit rok/nginx-ingress-controller-serving/overlays/deploy/patches/service-azurelb.yaml and set the service.beta.kubernetes.io/azure-dns-label-name annotation to the desired DNS name label for your Azure Load Balancer from step 2:

    metadata: annotations: service.beta.kubernetes.io/azure-dns-label-name: "arrikto-cluster-serving" # <-- Update this line with your SERVING_AZURELB_DNS_NAME_LABEL.
  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose NGINX Ingress Controller with an Azure Load Balancer"
  9. Deploy NGINX Ingress Controller:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/nginx-ingress-controller-serving/overlays/deploy

Verify

  1. Verify that NGINX Ingress Controller is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx-serving get pods NAME READY STATUS RESTARTS AGE nginx-ingress-controller-7f74f657bd-ln59l 1/1 Running 0 1m
  2. Verify that the Load Balancer Service has an external IP:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx-serving get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx LoadBalancer 10.0.156.76 10.42.42.42 80:30253/TCP,443:31855/TCP 1m
  3. Verify that the FQDN for your Azure Load Balancer resolves to the LoadBalancer Service IP:

    root@rok-tools:~/ops/deployments# host ${SERVING_AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster-serving.eastus.cloudapp.azure.com has address 10.42.42.42

Summary

You have successfully deployed the NGINX Ingress Controller, and exposed it using an Azure Load Balancer.

What’s Next

The next step is to expose Istio, our service mesh.