search

Cluster Ingress

There are two different types of ingresses provided in the clusters: Public ingress and Private ingress. Both of these use the Kubernetes Gateway Apiarrow-up-right. It is important to note the development status of this project and it's features. If features are not enabled, it's likely due to their development status. Please reach out for more details.

hashtag
Public Ingress

hashtag
Gateway

We provide a Gateway Class that will use a cloud appropriate controller for a load balancer that is also appropriate for the cloud it's deployed into. Below is an example of the public ingress Gateway installed in the Cluster.

chevron-rightAzure Public Gateway Examplehashtag
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway-external-<dns-zone>
  namespace: <gateway-namespace>
  annotations:
    cert-manager.io/issuer: <cert-manager-dns-zone-issuer>
    alb.networking.azure.io/alb-namespace: <alb-namespace>
    alb.networking.azure.io/alb-name: <alb-name>
spec:
  gatewayClassName: azure-alb-external
  listeners:
  - name: https-listener
    hostname: "*.<dns-zone>"
    port: 443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      mode: Terminate
      certificateRefs:
        - name: <dns-zone-certificate>

With this in place when services are deployed, they need only reference the gateway they are deploying to. This can be done by specifying a "Route". The gateway handles the TLS termination for the traffic coming into the cluster. The workflow for how this certificate is managed and referenced can be found in the Certificates documentation.

hashtag
HTTPRoute

We will focus on a HTTPRoute example for now. When specifying the HTTPRoute there are several important items to remember.

  • It is intended that the HTTPRoute lives in the same namespace as the application.

  • The service port must accept HTTP traffic.

  • The hostname must be a subdomain of a domain managed by the gateway.

Important Note: Kubernetes services offer a method of specifying an external domain name of where to "send" traffic with the ExternalName field. This is called explicitly stating that implementations should not support this functionality. This can be seen in the backend obejct referencearrow-up-right documentation on the kuberenetes gateway api reference.

chevron-rightHTTP Route Examplehashtag
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: "<app-name>-route"
  namespace: "<app-namespace>"
spec:
  parentRefs:
  - name: <gateway-name>
    namespace: <gateway-namespace>
  hostnames:
  - <application-hostname>
  rules:
  - backendRefs:
    - name: <application-service-name>
      port: <application-service-port>
PreviousCertificatesNextCost Insights

Last updated

Was this helpful?