Providing External Access to Cloudflow Services
In Kubernetes you can allow external (HTTP) network traffic to reach your services by creating Ingresses and adding an Ingress Controller to your cluster.
This section shows how to install an Ingress controller and how to create an Ingress for your services.
An ingress is a Kubernetes resource that defines a set of routing rules and is serviced by an ingress controller.
Kubernetes offers a wide selection of ingress controllers available. Ingress Controllers lists the most common ones.
In order for the Ingress resource to work, the cluster must have an ingress controller running. |
Deploying an ingress controller
The Kubernetes project directly supports and maintains two ingress controllers, Nginx-ingress
and gce
. In this example, we will use the Nginx-ingress
ingress controller since it is compatible with all major cloud vendors (GCP, AWS, and Azure).
Follow the instructions in the
NGINX Ingress Controller Installation Guide to deploy the Nginx-ingress
ingress controller in your cluster.
Creating the ingress resource
The ingress resource defines routes between the outside of the cluster to an application running in the cluster.
In the example below, we create an ingress that exposes the sensor-data-scala-http-ingress-service
service in the namespace sensor-data-scala
.
When the Cloudflow operator deploys an application that has one or more streamlets with a server attribute, the operator will create a Kubernetes Service Resource for each of these streamlets. We will use that Service Resource to create a route using an ingress from the outside to the streamlet. |
The annotation kubernetes.io/ingress.class
in the ingress resource below is the selector used by the ingress controller. If you installed another ingress controller, review its documentation to learn how it selects ingress resources.
After applying the following resource to the cluster, the ingress controller will create the corresponding route from the outside network to the service.
cat <<EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: sensor-data-http-ingress
namespace: sensor-data-scala
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- http:
paths:
- path: /sensor-data
backend:
servicePort: 3000
serviceName: sensor-data-scala-http-ingress-service
EOF
View the ingress resource to check the progress of the ingress controller assigning an address to the resource. This may take a few minutes.
> kubectl get ingress -n sensor-data-scala
NAME HOSTS ADDRESS PORTS AGE
sensor-data-http-ingress * 82.196.11.250 80 59s
The ingress now has an address and data can be sent to the ingress on the address 82.196.11.250/sensor-data
Authenticated ingress
An Ingress opens up a permanent, unauthenticated route by default. Kubernetes does not provide any authentication on ingresses. Authentication has to be implemented by the exposed service or by the ingress controller.
To use basic authentication or an OAuth
sign-in, see Basic Authentication in the Nginx ingress controller documentation.
For more fine-grained access control or alternative authorisation mechanisms, alternative ingress controllers such as NGINX plus can be deployed.