Providing External Access to Cloudflow Services

In Kubernetes you can allow external (HTTP) network traffic to reach your services by creating Ingresses and adding an Ingress Controller to your cluster.

This section shows how to install an Ingress controller and how to create an Ingress for your services.

An ingress is a Kubernetes resource that defines a set of routing rules and is serviced by an ingress controller.

Kubernetes offers a wide selection of ingress controllers available. Ingress Controllers lists the most common ones.

In order for the Ingress resource to work, the cluster must have an ingress controller running.

Deploying an ingress controller

The Kubernetes project directly supports and maintains two ingress controllers, Nginx-ingress and gce. In this example, we will use the Nginx-ingress ingress controller since it is compatible with all major cloud vendors (GCP, AWS, and Azure).

Follow the instructions in the NGINX Ingress Controller Installation Guide to deploy the Nginx-ingress ingress controller in your cluster.

Creating the ingress resource

The ingress resource defines routes between the outside of the cluster to an application running in the cluster.

In the example below, we create an ingress that exposes the sensor-data-scala-http-ingress-service service in the namespace sensor-data-scala.

When the Cloudflow operator deploys an application that has one or more streamlets with a server attribute, the operator will create a Kubernetes Service Resource for each of these streamlets. We will use that Service Resource to create a route using an ingress from the outside to the streamlet.

The annotation kubernetes.io/ingress.class in the ingress resource below is the selector used by the ingress controller. If you installed another ingress controller, review its documentation to learn how it selects ingress resources.

After applying the following resource to the cluster, the ingress controller will create the corresponding route from the outside network to the service.

cat <<EOF | kubectl apply -f -
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: sensor-data-http-ingress
  namespace: sensor-data-scala
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
    rules:
    - http:
        paths:
        - path: /sensor-data
          backend:
            servicePort: 3000
            serviceName: sensor-data-scala-http-ingress-service
EOF

View the ingress resource to check the progress of the ingress controller assigning an address to the resource. This may take a few minutes.

> kubectl get ingress -n sensor-data-scala
NAME                       HOSTS   ADDRESS           PORTS     AGE
sensor-data-http-ingress   *       82.196.11.250       80        59s

The ingress now has an address and data can be sent to the ingress on the address 82.196.11.250/sensor-data

Authenticated ingress

An Ingress opens up a permanent, unauthenticated route by default. Kubernetes does not provide any authentication on ingresses. Authentication has to be implemented by the exposed service or by the ingress controller.

To use basic authentication or an OAuth sign-in, see Basic Authentication in the Nginx ingress controller documentation.

For more fine-grained access control or alternative authorisation mechanisms, alternative ingress controllers such as NGINX plus can be deployed.

Removing an ingress

If you want to disable the route to the application created by the ingress, delete the ingress using the following command.

kubectl delete sensor-data-http-ingress -n sensor-data-scala