Providing External Access to Cloudflow Services
In Kubernetes you can allow external (HTTP) network traffic to reach your services by creating Ingresses and adding an Ingress Controller to your cluster.
This section shows how to install an Ingress controller and how to create an Ingress for your services.
An ingress is a Kubernetes resource that defines a set of routing rules and is serviced by an ingress controller.
Kubernetes offers a wide selection of ingress controllers available. Ingress Controllers lists the most common ones.
|In order for the Ingress resource to work, the cluster must have an ingress controller running.|
Deploying an ingress controller
The Kubernetes project directly supports and maintains two ingress controllers,
gce. In this example, we will use the
Nginx-ingress ingress controller since it is compatible with all major cloud vendors (GCP, AWS, and Azure).
Follow the instructions in the
NGINX Ingress Controller Installation Guide to deploy the
Nginx-ingress ingress controller in your cluster.
Creating the ingress resource
The ingress resource defines routes between the outside of the cluster to an application running in the cluster.
In the example below, we create an ingress that exposes the
sensor-data-scala-http-ingress-service service in the namespace
|When the Cloudflow operator deploys an application that has one or more streamlets with a server attribute, the operator will create a Kubernetes Service Resource for each of these streamlets. We will use that Service Resource to create a route using an ingress from the outside to the streamlet.|
kubernetes.io/ingress.class in the ingress resource below is the selector used by the ingress controller. If you installed another ingress controller, review its documentation to learn how it selects ingress resources.
After applying the following resource to the cluster, the ingress controller will create the corresponding route from the outside network to the service.
cat <<EOF | kubectl apply -f - apiVersion: extensions/v1beta1 kind: Ingress metadata: name: sensor-data-http-ingress namespace: sensor-data-scala annotations: kubernetes.io/ingress.class: nginx spec: rules: - http: paths: - path: /sensor-data backend: servicePort: 3000 serviceName: sensor-data-scala-http-ingress-service EOF
View the ingress resource to check the progress of the ingress controller assigning an address to the resource. This may take a few minutes.
> kubectl get ingress -n sensor-data-scala NAME HOSTS ADDRESS PORTS AGE sensor-data-http-ingress * 22.214.171.124 80 59s
The ingress now has an address and data can be sent to the ingress on the address
An Ingress opens up a permanent, unauthenticated route by default. Kubernetes does not provide any authentication on ingresses. Authentication has to be implemented by the exposed service or by the ingress controller.
To use basic authentication or an
OAuth sign-in, see Basic Authentication in the Nginx ingress controller documentation.
For more fine-grained access control or alternative authorisation mechanisms, alternative ingress controllers such as NGINX plus can be deployed.