Ingress Configuration#
Goal: Expose the Storage APIs stack outside the cluster using Contour as a load balancer, then configure DNS and optional HTTPS so multiple users can connect via a domain name.
Use Contour as the load balancer for external access.
Note
Ensure your cluster network and security policies allow external access to the load balancer, including any Helm chart configurations for your CSP.
An example would be deploying Contour on AWS with NLB.
#only internal NVIDIA INTERNAL USER ONLY
This is a contour-local-values.yaml we used for our AWS deployment.
# Example using AWS Contour local-contour-values.yaml
envoy:
service:
annotations:
# Example using NLB
service.beta.kubernetes.io/aws-load-balancer-type: nlb
# Example using direct pod IP targeting
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
#
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
# Replace {SECURITY_GROUP_ID} with the actual security group ID
service.beta.kubernetes.io/aws-load-balancer-security-groups: {SECURITY_GROUP_ID}
#
service.beta.kubernetes.io/aws-load-balancer-attributes: load_balancing.cross_zone.enabled=true
END INTERNAL USER ONLY #endonly
Configure Contour#
Deploy Contour first (example uses Helm chart version 0.2.0) so the cluster is accessible externally.
helm repo add contour https://projectcontour.github.io/helm-charts/
helm pull contour/contour --version 0.2.0
# deploy - optionally you can use a local-contour-values.yaml file if needed.
helm upgrade --install --create-namespace -n contour-system contour contour-0.2.0.tgz # -f local-contour-values.yaml
# verify the deployment is running
kubectl get pods -n contour-system
Note
Note the external IP of the Contour service; you will use it for your DNS record.
Configure your DNS record#
Create a DNS record pointing to the load balancer so you can use a domain name instead of a raw IP. For AWS see Route 53; for Azure see External DNS.
# test connection (replace {DNS_URL} with your domain)
dig {DNS_URL}
# Should return the external IP of the Contour service
After DNS is configured, update your services to be accessible via the DNS name.
Configure Services to use Ingress#
Create a single ingress-values.yaml to configure ingress for all services so you can update it in one place.
# ingress-values.yaml
httpProxy:
enabled: true
fqdn:
domain: "{DNS_URL}" # e.g. my-company.storage-apis.example.com
Redeploy the Discovery Service first to test ingress.
# redeploy the discovery service
helm upgrade --install discovery-service ./discovery-service -f ./discovery-service/discovery-values.yaml -f ./ingress-values.yaml --namespace storage-apis
# test (HTTP)
curl http://{DNS_URL}/api/v1/services
# validate on kubectl you have httpproxy
kubectl get httpproxy -n storage-apis
You should see the JSON response with the services. Then redeploy the remaining services with the same ingress configuration.
# redeploy the storage service
helm upgrade --install storage-service ./storage-service -f ./storage-service/storage-values.yaml -f ./ingress-values.yaml --namespace storage-apis
# if you've deployed the notification services, redeploy those as well
helm upgrade --install event-aggregation-service ./event-aggregation-service -f ./event-aggregation-service/event-aggregation-values.yaml -f ./ingress-values.yaml --namespace storage-apis
#
helm upgrade --install event-consumer-service ./event-consumer-service -f ./event-consumer-service/event-consumer-values.yaml -f ./ingress-values.yaml --namespace storage-apis
# validate on kubectl you have httpproxy
kubectl get httpproxy -n storage-apis
You should see two objects for each of the services above that you deployed, and one for Discovery.
Configuring HTTPS#
Configure HTTPS so traffic to the ingress is encrypted. This section assumes you already have certificates for your domain installed in the cluster (or will use Cert Manager to obtain them).
Note
Consider using Cert Manager in the cluster to manage certificates and securely access services.
DNS names to get certificates for:
# DNS namespaces based on default discovery configuration
"{DNS_URL}"
"storage.{DNS_URL}"
"event-aggregation.{DNS_URL}"
"event-consumer.{DNS_URL}"
"*.storage.{DNS_URL}"
"*.event-aggregation.{DNS_URL}"
"*.event-consumer.{DNS_URL}"
Configuring the services to use HTTPS#
Add HTTPS settings to the same ingress-values.yaml. Deploy your certs into the namespace where you deploy services first, and note the secret name where the certs are stored.
Note
This example uses secret name storage-apis-cert. If you use a different name, update the configuration accordingly.
Update ingress-values.yaml to use HTTPS by adding the highlighted lines below.
# ingress-values.yaml
httpProxy:
enabled: true
fqdn:
domain: "{DNS_URL}" # e.g. my-company.storage-apis.example.com
# update the tls section to use the secret name you deployed your certs to.
tls:
enabled: true
secretName: storage-apis-cert
Once your certs are deployed and the cluster is ready, you can redeploy the services to use TLS.
# redeploy the discovery service
helm upgrade --install discovery-service ./discovery-service -f ./discovery-service/discovery-values.yaml -f ./ingress-values.yaml --namespace storage-apis
# redeploy the storage service
helm upgrade --install storage-service ./storage-service -f ./storage-service/storage-values.yaml -f ./ingress-values.yaml --namespace storage-apis
# if you've deployed the notification services, redeploy those as well
helm upgrade --install event-aggregation-service ./event-aggregation-service -f ./event-aggregation-service/event-aggregation-values.yaml -f ./ingress-values.yaml --namespace storage-apis
#
helm upgrade --install event-consumer-service ./event-consumer-service -f ./event-consumer-service/event-consumer-values.yaml -f ./ingress-values.yaml --namespace storage-apis
Test HTTPS:
# test (HTTPS)
curl https://{DNS_URL}/api/v1/services
You should see the same JSON response. Services are now accessible via the DNS name you configured.
What’s Next?#
Now that you have your services deployed and accessible via HTTPS, you can deploy the Storage Navigator to start browsing and managing your storage.