I have a single host cluster with k8s and I would like to configure a Ingress for each namespace in order to create separated environment: one for production, one for development.
I also took 2 different domains.
When I deploy the production ingress there are no problems, but when I deploy the second ingress the dev environment is unreachable, using port-forward everything seems fine.
The 2 ingresses configuration:
Dev
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.bluemix.net/redirect-to-https: "True"
name: dev-ingress
namespace: dev
spec:
rules:
- host: '*.dev.cloud'
http:
paths:
- backend:
serviceName: web-service
servicePort: 80
path: /
tls:
- hosts:
- '*.dev.cloud'
secretName: dev-cert
Production
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.bluemix.net/redirect-to-https: "True"
name: prod-ingress
spec:
rules:
- host: '*.prod.cloud'
http:
paths:
- backend:
serviceName: web-service
servicePort: 80
path: /
- host: "k8s-host"
http:
paths:
- path: /path/to/api
backend:
serviceName: web-api
servicePort: 3000
tls:
- hosts:
- '*.prod.cloud'
secretName: prod-cert
- hosts:
- "k8s-host"
secretName: k8s-host-cert
I also edited the CNAME record of the 2 domains in order to redirect to the k8s host.
I was expecting that the request from a subdomain of one of the domain would be redirected to the ingress matching the domain.
For example:
https://abc.dev.cloud -> dev-ingress
https://abc.prod.cloud -> prod-ingress
Related
I'm using ingress-nginx on kubernetes. I need to redirect incoming connections to / to a blog hosted on webflow and perform path-based routing.
Webflow provides a domain like website123.webflow.com. I would like to serve the blog without performing a redirect. I would like to mask the webflow domain and use the default instead.
Here's what I came with so far:
---
apiVersion: v1
kind: Service
metadata:
name: homepage
spec:
externalName: website123.webflow.io
type: ExternalName
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: my.custom.domain.com
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/load-balance: ewma
nginx.ingress.kubernetes.io/proxy-body-size: 4G
nginx.ingress.kubernetes.io/upstream-vhost: website123.webflow.io
service.beta.kubernetes.io/do-loadbalancer-hostname: my.custom.domain.com
labels:
source: github
name: http
namespace: panattt1
spec:
rules:
- host: my.custom.domain.com
http:
paths:
- path: /api
backend:
serviceName: http
servicePort: 80
- path: /images
backend:
serviceName: http
servicePort: 80
- path: /app
backend:
serviceName: http
servicePort: 80
- path: /game
backend:
serviceName: http
servicePort: 80
- path: /mapmaker
backend:
serviceName: http
servicePort: 80
- path: /dashboard
backend:
serviceName: http
servicePort: 80
- path: /
backend:
serviceName: homepage
servicePort: 80
tls:
- hosts:
- my.custom.domain.com
The above solution doesn't work as I'd like to. The URL in the browser changes from my.custom.domain.com to website123.webflow.io, which is not what I want.
I believe the host header reaches paths other than / which is not ideal. Not tested yet.
If remove nginx.ingress.kubernetes.io/upstream-vhost I get an error from webflow's CDN because the $host header uses a domain that is not available. Adding the custom domain produces the same error.
Any ideas if I can handle this situation gracefully using ingress-nginx?
This works for me without annotations like upstream-vhost etc.
kind: Service
metadata:
name: blog-service
namespace: panattt1
spec:
externalName: website123.webflow.io
ports:
- port: 8001
protocol: TCP
targetPort: 443
type: ExternalName
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
ingress.kubernetes.io/ssl-redirect: "true"
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: blog-ingress
namespace: panattt1
spec:
rules:
- host: my.custom.domain.com
http:
paths:
- backend:
serviceName: blog-service
servicePort: 8001
path: /
tls:
- hosts:
- my.custom.domain.com
in my k8s system I have a nginx ingress controller as LoadBalancer and accessing it to ddns adress like hedehodo.ddns.net and this triggering to forward web traffic to another nginx port.
Now I deployed another nginx which works on node.js app but I cannot forward nginx ingress controller for any request to port 3000 to go another nginx
here is the nginx ingress controller yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
namespace: default
spec:
rules:
- host: hedehodo.ddns.net
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
- path: /
backend:
serviceName: helloapp-deployment
servicePort: 3000
helloapp deployment works a Loadbalancer and I can access it from IP:3000
could any body help me?
Each host cannot share multiple duplicate paths, so in your example, the request to host: hedehodo.ddns.net will always map to the first service listed: my-nginx:80.
To use another service, you have to specify a different path. That path can use any service that you want. Your ingress should always point to a service, and that service can point to a deployment.
You should also use HTTPS by default for your ingress.
Ingress example:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: test-ingress
spec:
rules:
- host: my.example.net
http:
paths:
- path: /
backend:
serviceName: my-nginx
servicePort: 80
- path: /hello
backend:
serviceName: helloapp-svc
servicePort: 3000
Service example:
---
apiVersion: v1
kind: Service
metadata:
name: helloapp-svc
spec:
ports:
- port: 3000
name: app
protocol: TCP
targetPort: 3000
selector:
app: helloapp
type: NodePort
Deployment example:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloapp
labels:
app: helloapp
spec:
replicas: 1
selector:
matchLabels:
app: helloapp
template:
metadata:
labels:
app: helloapp
spec:
containers:
- name: node
image: my-node-img:v1
ports:
- name: web
containerPort: 3000
You can't have the same "path: /" for the same host. Change the path to a different one for your the new service.
I have an application accessed via hostA.com and a path '/' defined. This application needs annotations:
nginx.ingress.kubernetes.io/auth-tls-secret: ca1
nginx.ingress.kubernetes.io/auth-tls-verify-client: optional
Also, I need to access the same application via the same hostname on a special URL '/v8/something/abc' with https:// but without client authentication, so I need to remove the annotations for TLS. I tried with two different Ingress objects, but it doesn't work because the other Ingress is ignored. Merge does not work because it does not accept TLS annotations. Does anyone know how to configure this?
These below are my ingress objects:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-tls-secret: mynamespace/my-ca
nginx.ingress.kubernetes.io/auth-tls-verify-client: optional
name: ingressA
namespace: mynamespace
spec:
rules:
- host: hosta.com
http:
paths:
- backend:
serviceName: myservice
servicePort: http
path: /
tls:
- hosts:
- hosta.com
secretName: mysecret
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-tls-verify-client: off
name: ingressB
namespace: mynamespace
spec:
rules:
- host: hosta.com
http:
paths:
- backend:
serviceName: myservice
servicePort: http
path: /v8/something/abc
tls:
- hosts:
- hosta.com
secretName: mysecret
I have two apps on a Kubernetes cluster which need to be exposed. One is a OAuth2 based authenticator, the other is the client app using it.
I would like to have the client app on test.mydomain.com and the authenticator on test.mydomain.com/auth
I tried building the following ingress in Kubernetes:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-body-size: "20m"
spec:
rules:
- http:
paths:
- path: /auth
backend:
serviceName: authenticator-service
servicePort: 8080
- path: /
backend:
serviceName: app-service
servicePort: 8080
For some reason, I can't get it to work, and whenever I try and hit test.mydomain.com/auth I end up hitting the main app-service. Am I doing something completely wrong? Is what I want to do even possible?
Try this -
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
kubernetes.io/ingress.class: nginx
name: my-ingress
spec:
rules:
- host: test.mydomain.com
http:
paths:
- path: /(.*)
backend:
serviceName: app-service
servicePort: 8080
- path: /auth/(.*)
backend:
serviceName: authenticator-service
servicePort: 8080
I have a kubernetes setup that looks like this:
nginx ingress -> load balancer -> nginx app
after getting an SSL certificate for www.foo.com, I've installed it in my nginx ingress as a secret, and it works as expected - traffic to www.foo.com gets redirected to the https version instead, and browsers display a secure connection indicator. Great.
What hasn't been easy, however, is getting the ingress to redirect non-www traffic to the www version of the site. I've tried using kubernetes.io/from-to-www-redirect: "true", but it doesn't seem to do anything - navigating to foo.com doesn't redirect me to the www version of the url, but either takes me to an insecure version of my site, or navigates me to default backend - 404 depending on whether i include foo.com as a host with it's own path in my ingress.
I have been able to set up a patchy redirect by adding the following to my actual application's nginx config -
server {
listen 80;
server_name foo.com;
return 301 http://www.foo.com$request_uri;
}
UPDATE: from-to-www-redirect DOES work; you just have to reference it with nginx.ingress.kubernetes.io rather than kubernetes.io as I was. But, this only works for foo.com - typing in https://foo.com explicitly causes browsers to display a security warning and no redirect to the proper URL of https://www.foo.com occurs.
Here's my current config for the nginx ingress itself:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-https-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
rules:
- host: www.foo.com
http:
paths:
- backend:
serviceName: foo-prod-front
servicePort: 80
path: /
tls:
- hosts:
- www.foo.com
secretName: tls-secret
You need to add the certificate for the domain you want to be redirected:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-https-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
rules:
- host: foo.com
http:
paths:
- backend:
serviceName: foo-prod-front
servicePort: 80
path: /
- host: www.foo.com
http:
paths:
- backend:
serviceName: foo-prod-front
servicePort: 80
path: /
tls:
- hosts:
- foo.com
- www.foo.com
secretName: tls-secret
I am not completely sure, whether from-to-www-redirect works with this setup, but you can replace it with the following lines, which do work:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($host = 'foo.com' ) {
rewrite ^ https://www.foo.com$request_uri permanent;
}
I have the following doing the job with the latest nginx-ingress 0.25.1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-rule-web
annotations:
kubernetes.io/ingress.class: nginx
certmanager.k8s.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/from-to-www-redirect: 'true'
spec:
rules:
- host: foo.org
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 80
tls:
- hosts:
- foo.org
- www.foo.org
secretName: letsencrypt-prod
I found the docs to be confusing here as well. Below is an example i have working. I believe you need to define the naked url in tls certs to avoid a cert error(your cert needs to be valid for both foo.com and www.foo.com). You CANNOT list the naked url under rules: hosts because that will get picked up prior to the redirect.
http://foo.com -> https://www.foo.com
https://foo.com -> https://www.foo.com
http://www.foo.com -> https://www.foo.com
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo-https-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
rules:
- host: www.foo.com
http:
paths:
- backend:
serviceName: foo-frontend
servicePort: 80
path: /
tls:
- hosts:
- foo.com
- www.foo.com
secretName: tls-secret
This is rather a problem with your ssl certificate than the nginx ingress configuration. My guess is that your certificate is only valid for foo.com and not for www.foo.com. If you access www.foo.com your browser shows a security warning because the certificate isn't valid for the domain you are visiting.
I had to solve an issue first:
The solution that worked for me is the one from #demisx but on my first try, the solution was not working for another reason. I had more than one ingress with reference to the "example.com" root host and as described on the documentation this was omitting my www redirect rule.
Documentation refers that "If at some point a new Ingress is created with a host equal to one of the options (like domain.com) the annotation will be omitted."
This is example is wrong:
Ingress 1 - to handle example.com
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-https-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
path: /
tls:
- hosts:
- example.com
- www.example.com
secretName: tls-secret
Ingress 2 - to handle example.com/news
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-https-ingress-news
spec:
rules:
- host: example.com. # <--------- I HAD ANOTHER REFERENCE
http:
paths:
- backend:
serviceName: example-news
servicePort: 80
path: /news
- host: www.example.com
http:
paths:
- backend:
serviceName: example-news
servicePort: 80
path: /news
tls:
- hosts:
- example.com
- www.example.com
secretName: tls-secret
Solution - Correct Configuration
Make sure that you don't have any other ingress created with the root domain otherwise the redirect will not work as documentation refers. I removed the reference to example.com host on ingress 2 and then immediately started to work.
Ingress 1 - to handle example.com
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-https-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: example-frontend
servicePort: 80
path: /
tls:
- hosts:
- example.com
- www.example.com
secretName: tls-secret
Ingress 2 - to handle example.com/news
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-https-ingress-news
spec:
rules:
# <--------- removed the other reference to the root host
- host: www.example.com
http:
paths:
- backend:
serviceName: example-news
servicePort: 80
path: /news
tls:
- hosts:
- example.com
- www.example.com
secretName: tls-secret
Note: By the way, I didn't need to add the forward annotation to the 2nd ingress cause is already handled by the first ingress. I'm not sure though, if the order of deployment matters for nginx ingress controllers so take this as a note only and try to confirm yourself.