Deploy NGINX Ingress Controller

In this section you will configure and deploy the NGINX Ingress Controller and expose it using a public Azure Load Balancer.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the desired DNS name label for your Azure Load Balancer. This name should be globally unique in the Azure region you are using:

    root@rok-tools:~/ops/deployments# export AZURELB_DNS_NAME_LABEL=arrikto-cluster
  3. Compute the FQDN for your Azure Load Balancer based on the DNS name label:

    root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster.eastus.cloudapp.azure.com
  4. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and use service-azurelb as base, instead of the default ingress-alb:

    bases: #- ../ingress-alb #- ../service-elb - ../service-azurelb
  5. Edit rok/nginx-ingress-controller/overlays/deploy/kustomization.yaml and use the service-azurelb patch, instead of the default ingress-alb and service-alb:

    patches: #- path: patches/ingress-alb.yaml #- path: patches/service-alb.yaml #- path: patches/service-elb.yaml - path: patches/service-azurelb.yaml
  6. Enable the firewall in your Azure Load Balancer and allow access only to specific CIDRs. Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Leave the default value of 0.0.0.0/0 if you want to allow access for everyone:

    spec: loadBalancerSourceRanges: - "0.0.0.0/0"
  7. Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set the service.beta.kubernetes.io/azure-dns-label-name annotation to the desired DNS name label for your Azure Load Balancer from step 2:

    metadata: annotations: service.beta.kubernetes.io/azure-dns-label-name: "arrikto-cluster"
  8. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose NGINX Ingress Controller with an Azure Load Balancer"
  9. Deploy NGINX Ingress Controller:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/nginx-ingress-controller/overlays/deploy

Verify

  1. Verify that NGINX Ingress Controller is up-and-running. Check pod status and verify field STATUS is Running and field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx get pods NAME READY STATUS RESTARTS AGE nginx-ingress-controller-7f74f657bd-ln59l 1/1 Running 0 1m
  2. Verify that the Load Balancer Service has an external IP:

    root@rok-tools:~/ops/deployments# kubectl -n ingress-nginx get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx LoadBalancer <none> 10.42.42.42 <none> 1m
  3. Verify that the FQDN for your Azure Load Balancer resolves to the LoadBalancer Service IP:

    root@rok-tools:~/ops/deployments# host ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster.eastus.cloudapp.azure.com has address 10.42.42.42

Summary

You have successfully deployed the NGINX Ingress Controller, and exposed it using an Azure Load Balancer.

What’s Next

The next step is to expose Istio, our service mesh.