Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Use K8 ingress for TLS termination #1443
Use K8 ingress for TLS termination
Kubernetes ingress objects support
The backend protocol from the ingress reverse proxy to the binaries use HTTP/2 + TLS
This PR uses
I chose 'kustomize
The directory structure:
To verify that this PR worked:
@@ Coverage Diff @@ ## master #1443 +/- ## ========================================== + Coverage 66.39% 66.41% +0.02% ========================================== Files 54 54 Lines 4026 4026 ========================================== + Hits 2673 2674 +1 Misses 960 960 + Partials 393 392 -1
The simplest setup ingress is to only proxy HTTP2 traffic. Multiplexing gRPC and HTTP is possible, but it requires two ingress objects and explicit path / gRPC service specific forwarding rules. Notes: - Supply a default backend to prevent the ingress controller from creating it's own - Supply path routes. Without path routing NGINX won't use our TLS certs and will supply it's own "default" TLS cert.
- Link to a static IP resource. - Disable HTTP to slightly simplify the firewall rules. - Set the backend protocol to HTTP2. - Requiries an HTTP2 healthcheck at '/'. - Requires TLS (HTTP2 + TLS is incompatible with cmux). - Supports GRPC. Refs - https://cloud.google.com/load-balancing/docs/https/
Using kustomize is required because `kubectl -k` doesn't support directories to as resources in kustomize file.
This makes the ingress object routable by Kubernetes in Docker (KIND) The current kind config routes localhost traffic on 443 to specific node ports (80443)
NatalieDoduc left a comment
For your main PR description, can you make the first line more descriptive? These guidelines are really useful: https://chris.beams.io/posts/git-commit/
Could you also add in the PR description more details about the additional files and structure under
Also, i'd recommend if you would explain the use of Kustomize (+investigation into Helm results in the PR description itself, rather than inline in the comments).
Finally if this adds a mechanism to route from outside to our cluster, can you add sample commands or reference to how one might validate that the setup works?