Providing External Access to Cloudflow Services

In K8s you can allow external (HTTP) network traffic to reach your services by creating Ingresses and adding an Ingress Controller to your cluster.

This section shows how to install an Ingress controller and how to create an Ingress for your services.

An Ingress opens up a permanent, unauthenticated route by default. Kubernetes does not provide any authentication on ingresses. Authentication has to be implemented by the exposed service or by the ingress controller.

An ingress is a Kubernetes resource that defines a set of routing rules and is serviced by an ingress controller.

There is a wide selection of ingress controllers available. The following link contains a list of the most common ones.

Before creating an ingress resource, there must be an enabled ingress controller in the cluster.

Deploying an ingress controller

The Kubernetes project directly supports and maintains two ingress controllers, Nginx-ingress and gce. In this example, we will use the Nginx-ingress ingress controller since it is compatible with all major cloud vendors (GCP, AWS, and Azure).

The following link shows how to deploy the Nginx-ingress ingress controller.

Creating the ingress resource

The ingress resource defines routes between the outside of the cluster to an application running in the cluster.

In the example below, we create an ingress that exposes the sensor-data-scala-http-ingress-service service in the namespace sensor-data-scala.

When the Cloudflow operator deploys an application that has one or more streamlets with a server attribute, the operator will create a Kubernetes Service resource for each of these streamlet. The Service resource is what we will use below to create a route using an ingress from the outside to the streamlet.

The annotation kubernetes.io/ingress.class in the ingress resource below is the selector used by the ingress controller. If you installed another ingress controller, review its documentation to learn how it selects ingress resources.

After applying the following resource to the cluster, the ingress controller will create the corresponding route from the outside network to the service.

cat <<EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: sensor-data-http-ingress
  namespace: sensor-data-scala
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
    rules:
    - http:
        paths:
        - path: /sensor-data
          backend:
            servicePort: 3000
            serviceName: sensor-data-scala-http-ingress-service
EOF

View the ingress resource to check the progress of the ingress controller assigning an address to the resource. This may take a few minutes.

> kubectl get ingress -n sensor-data-scala
NAME                       HOSTS   ADDRESS           PORTS     AGE
sensor-data-http-ingress   *       82.196.11.250       80        59s

The ingress now has an address and data can be sent to the ingress on the address 82.196.11.250/sensor-data

Removing an ingress

If you want to disable the route to the application created by the ingress, delete the ingress using the following command.

kubectl delete sensor-data-http-ingress -n sensor-data-scala