**This notebook covered by the following [license](License.ipynb)  This note must not be removed**

# Ingress

- [Must be enabled](IngressStart.ipynb)
- [Service Networking Concept](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- Implemented by an [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)
- Implementation dependent [Overview by Yitaek Hwang](https://medium.com/swlh/kubernetes-ingress-controller-overview-81abbaca19ec)
- Can include [External Oauth 2 ](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/)
- Most popular [NGinx Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/)

In [1]:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0

deployment.apps/web created


In [2]:
kubectl expose deployment web --type=NodePort --port=8080

service/web exposed


In [3]:
kubectl get service web 

NAME   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
web    NodePort   10.102.137.56   <none>        8080:30688/TCP   13s


In [4]:
NODEPORT=$(kubectl get service web  -o jsonpath='{.spec.ports[0].nodePort}')
echo $NODEPORT

30688


In [8]:
hostname -i

192.168.49.2


In [6]:
curl $(hostname -i):$NODEPORT

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-csmdz


In [7]:
kubectl get all 

NAME                                    READY   STATUS      RESTARTS   AGE
pod/kube-bench--1-cqzmb                 0/1     Completed   0          104m
pod/nginx-deployment-7848d4b86f-chjjb   1/1     Running     0          9m52s
pod/web-79d88c97d6-csmdz                1/1     Running     0          76s

NAME                 TYPE           CLUSTER-IP      EXTERNAL-IP    PORT(S)          AGE
service/kubernetes   ClusterIP      10.96.0.1       <none>         443/TCP          25h
service/nginx        LoadBalancer   10.110.37.38    10.110.37.38   80:32314/TCP     9m40s
service/web          NodePort       10.102.137.56   <none>         8080:30688/TCP   70s

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-deployment   1/1     1            1           9m52s
deployment.apps/web                1/1     1            1           76s

NAME                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-deployment-7848d4b86f 

In [9]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
EOF

ingress.networking.k8s.io/example-ingress created


In [14]:
kubectl get ingress example-ingress -o yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"example-ingress","namespace":"default"},"spec":{"rules":[{"host":"192.168.49.2.nip.io","http":{"paths":[{"backend":{"service":{"name":"web","port":{"number":8080}}},"path":"/","pathType":"Prefix"}]}}]}}
    nginx.ingress.kubernetes.io/rewrite-target: /
  creationTimestamp: "2022-01-19T10:37:13Z"
  generation: 1
  name: example-ingress
  namespace: default
  resourceVersion: "64960"
  uid: 6cd6629b-8480-45e4-a1d3-f12e4d721a87
spec:
  ingressClassName: nginx
  rules:
  - host: 192.168.49.2.nip.io
    http:
      paths:
      - backend:
          service:
            name: web
            port:
              number: 8080
        path: /
        pathType: Prefix
status:
  loadBalancer:
    ingress:
    - ip: 192.168.49.2


In [11]:
kubectl describe ingress example-ingress

Name:             example-ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  192.168.49.2.nip.io  
                       /   web:8080 (172.17.0.7:8080)
Annotations:           nginx.ingress.kubernetes.io/rewrite-target: /
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  Sync    23s   nginx-ingress-controller  Scheduled for sync


In [12]:
INGRESS_HOST=$(kubectl get ingress example-ingress -o jsonpath='{.spec.rules[0].host}')
echo $INGRESS_HOST

192.168.49.2.nip.io


In [13]:
curl $INGRESS_HOST/helloweb

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-csmdz


In [15]:
curl -vvvvv $INGRESS_HOST/helloweb

* Uses proxy env variable NO_PROXY == 'control-plane.minikube.internal'
*   Trying 192.168.49.2:80...
* TCP_NODELAY set
* Connected to 192.168.49.2.nip.io (192.168.49.2) port 80 (#0)
> GET /helloweb HTTP/1.1
> Host: 192.168.49.2.nip.io
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 19 Jan 2022 10:48:11 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 60
< Connection: keep-alive
< 
Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-csmdz
* Connection #0 to host 192.168.49.2.nip.io left intact


In [16]:
curl -vvvv $(hostname -i)

* Uses proxy env variable NO_PROXY == 'control-plane.minikube.internal'
*   Trying 192.168.49.2:80...
* TCP_NODELAY set
* Connected to 192.168.49.2 (192.168.49.2) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.49.2
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Wed, 19 Jan 2022 10:48:17 GMT
< Content-Type: text/html
< Content-Length: 146
< Connection: keep-alive
< 
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host 192.168.49.2 left intact


In [19]:
kubectl get pods -n ingress-nginx

NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create--1-spxt9     0/1     Completed   0          29m
ingress-nginx-admission-patch--1-xc9zd      0/1     Completed   1          29m
ingress-nginx-controller-69bdbc4d57-zmr7p   1/1     Running     0          29m


In [20]:
kubectl logs -n ingress-nginx ingress-nginx-controller-69bdbc4d57-zmr7p 

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.0.0-beta.1
  Build:         a091b01f436b4ab4f3d04264df93962432a02450
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.20.1

-------------------------------------------------------------------------------

W0119 10:20:54.073721       7 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I0119 10:20:54.073996       7 main.go:221] "Creating API client" host="https://10.96.0.1:443"
I0119 10:20:54.089691       7 main.go:265] "Running in Kubernetes cluster" major="1" minor="22" git="v1.22.2" state="clean" commit="8b5a19147530eaac9476b0ab82980b4088bbc1b2" platform="linux/amd64"
I0119 10:20:54.225704       7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I0119 10:20:54.239908       7 ssl.go:531] "loading tl

## Create **more** services
We can say hello world in different ways

In [21]:
kubectl create deployment web2 --image=gcr.io/google-samples/hello-app:2.0


deployment.apps/web2 created


In [22]:
kubectl expose deployment web2 --port=8080 --type=NodePort


service/web2 exposed


In [23]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
          - path: /v2
            pathType: Prefix
            backend:
              service:
                name: web2
                port:
                 number: 8080
EOF

ingress.networking.k8s.io/example-ingress configured


In [24]:
curl $INGRESS_HOST/v2

Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-fvrz9


In [25]:
curl $INGRESS_HOST

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-csmdz


In [None]:
kubectl get all

## TLS

In [26]:
mkdir -p openssl
cd openssl

In [27]:
DOMAIN=$INGRESS_HOST
CONF=${DOMAIN}.conf
SECRET=${DOMAIN}.yaml
KEY=${DOMAIN}.key
CRT=${DOMAIN}.crt

echo $DOMAIN

192.168.49.2.nip.io


In [28]:
pwd

/minikube-host/notebooks/training-kubernetes-security/openssl


In [29]:
ls

In [30]:
test  ! -f ${CONF}  && cat > ${CONF}  <<EOF
[ req ]
default_bits       = 2048
default_md         = sha512
default_keyfile    = ${KEYFILE}
prompt             = no
encrypt_key        = no
distinguished_name = req_distinguished_name
# distinguished_name
[ req_distinguished_name ]
countryName            = DE
localityName           = Berlin
organizationName       = nip.io
organizationalUnitName = K8S Demo Department
commonName             = *.${DOMAIN}
emailAddress           = nowhere@${DOMAIN}


EOF

In [31]:
echo $KEY $CONF $CRT

test  ! -f ${KEY} && openssl req -config ${CONF} -newkey rsa:2048 -nodes -keyout ${KEY} -x509 -out ${CRT}

192.168.49.2.nip.io.key 192.168.49.2.nip.io.conf 192.168.49.2.nip.io.crt
Generating a RSA private key
..........+++++
.................................+++++
writing new private key to '192.168.49.2.nip.io.key'
-----


In [35]:
ls

192.168.49.2.nip.io.conf  192.168.49.2.nip.io.crt  192.168.49.2.nip.io.key


In [36]:
cat ${CRT}

-----BEGIN CERTIFICATE-----
MIIDuzCCAqMCFG9RuSLR0S8UVKIUyNbXq3oZBApfMA0GCSqGSIb3DQEBDQUAMIGZ
MQswCQYDVQQGEwJERTEPMA0GA1UEBwwGQmVybGluMQ8wDQYDVQQKDAZuaXAuaW8x
HDAaBgNVBAsME0s4UyBEZW1vIERlcGFydG1lbnQxHjAcBgNVBAMMFSouMTkyLjE2
OC40OS4yLm5pcC5pbzEqMCgGCSqGSIb3DQEJARYbbm93aGVyZUAxOTIuMTY4LjQ5
LjIubmlwLmlvMB4XDTIyMDExOTEwNTYxMFoXDTIyMDIxODEwNTYxMFowgZkxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xDzANBgNVBAoMBm5pcC5pbzEcMBoG
A1UECwwTSzhTIERlbW8gRGVwYXJ0bWVudDEeMBwGA1UEAwwVKi4xOTIuMTY4LjQ5
LjIubmlwLmlvMSowKAYJKoZIhvcNAQkBFhtub3doZXJlQDE5Mi4xNjguNDkuMi5u
aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeoe0vF+Y6bEZI
H9TCsTllNWHmU0PVqs5HRQNlwPWCuhri5CGIOTnJI1qY+oRfy4XgGGgBlE3pIeQl
hkqhucrAp1XkASlQwko0P31Bp+aAsG4sU9PpBpFba0IDuy9NVZ8JyogKPZbs/vXy
1a9lQJviJoZhy75Ip21Wo5nwTkyHmP4qYdGumN28H83x2ZarNkhmTt9F0VfcbSRB
JK+VknpqGWIOEz8HHAG+FNpEYw1EUk/mVaCdJFWw558WApZXZ/o77tBKwaVTE6ak
ztRPhvNkvVydtNhrCImmif0QMq2HFPJQkmoF/2ndeEg3jPwk1kjN0dNQcHCQj8PR
9NMGIsQrAgMBAAEwDQYJKoZIhvcNAQENBQADggEBAGlz8bSqTcUqgEBT0PiqrL

In [37]:
cat ${KEY}

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCeoe0vF+Y6bEZI
H9TCsTllNWHmU0PVqs5HRQNlwPWCuhri5CGIOTnJI1qY+oRfy4XgGGgBlE3pIeQl
hkqhucrAp1XkASlQwko0P31Bp+aAsG4sU9PpBpFba0IDuy9NVZ8JyogKPZbs/vXy
1a9lQJviJoZhy75Ip21Wo5nwTkyHmP4qYdGumN28H83x2ZarNkhmTt9F0VfcbSRB
JK+VknpqGWIOEz8HHAG+FNpEYw1EUk/mVaCdJFWw558WApZXZ/o77tBKwaVTE6ak
ztRPhvNkvVydtNhrCImmif0QMq2HFPJQkmoF/2ndeEg3jPwk1kjN0dNQcHCQj8PR
9NMGIsQrAgMBAAECggEADI1/uVRI0aKzxQ1PxsBDbHDW+GTqX0QO4rDhXfHw+5FC
g2XOCXuNyQ7VInngc7wlMeB8inNz3tjhtt5zlWygULJtJ4e3/z4ApTXI8aMZqGFN
tpBDmpL8eaF5LdZoHdSCq0GtljHdeY+LYtXp9TcxnqmxxJdczV8CVfLIQa3QfIJM
5BrPIBkYUroDJn5uEUcL0wFnGIUCM2Ugu6zTMIQ5SfnFROcE7Q2oHA9MHPBUq59d
xHPhsm2+qTW1TALofoKWJwjk076ZYWT8Xq0rwIeqsahrjSZ81XZ+RrNQYtFI+6C6
Wv+JQxgdDTRxMkgg7DSkxsUiM+A6C2fy379sA89dkQKBgQDNwCGZY80LSCxsjWnw
43X5psYZTXDWb+eB5T1P4UMxlGVzk9FPmyvSX6E0Rr5q96oH+BsCdZUpoEVuohZB
556J/iEz8VbHh/IXVd3ton7jdhxW274nvmhsJXZz4N2ndA2QyvHtePd3CATA5D7D
GKgz8NyYvAdu5LZJsEtiZEUNbQKBgQDFX+Y384Kk8sx86YqSivqZ4IwgA23lnL

In [38]:
test ! -f ${SECRET} && cat > ${SECRET}<<EOF
apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: `cat ${CRT} | base64 -w0`
 tls.key: `cat ${KEY} | base64 -w0`
EOF


In [39]:
kubectl create -f ${SECRET}

secret/wildcard.tls created


In [40]:
cat $SECRET

apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1ekNDQXFNQ0ZHOVJ1U0xSMFM4VVZLSVV5TmJYcTNvWkJBcGZNQTBHQ1NxR1NJYjNEUUVCRFFVQU1JR1oKTVFzd0NRWURWUVFHRXdKRVJURVBNQTBHQTFVRUJ3d0dRbVZ5YkdsdU1ROHdEUVlEVlFRS0RBWnVhWEF1YVc4eApIREFhQmdOVkJBc01FMHM0VXlCRVpXMXZJRVJsY0dGeWRHMWxiblF4SGpBY0JnTlZCQU1NRlNvdU1Ua3lMakUyCk9DNDBPUzR5TG01cGNDNXBiekVxTUNnR0NTcUdTSWIzRFFFSkFSWWJibTkzYUdWeVpVQXhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TUI0WERUSXlNREV4T1RFd05UWXhNRm9YRFRJeU1ESXhPREV3TlRZeE1Gb3dnWmt4Q3pBSgpCZ05WQkFZVEFrUkZNUTh3RFFZRFZRUUhEQVpDWlhKc2FXNHhEekFOQmdOVkJBb01CbTVwY0M1cGJ6RWNNQm9HCkExVUVDd3dUU3poVElFUmxiVzhnUkdWd1lYSjBiV1Z1ZERFZU1Cd0dBMVVFQXd3VktpNHhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TVNvd0tBWUpLb1pJaHZjTkFRa0JGaHR1YjNkb1pYSmxRREU1TWk0eE5qZ3VORGt1TWk1dQphWEF1YVc4d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNlb2UwdkYrWTZiRVpJCkg5VENzVGxsTldIbVUwUFZxczVIUlFObHdQV0N1aHJpNUNHSU9UbkpJMXFZK29SZn

In [41]:
kubectl get secret wildcard.tls -o jsonpath='{.data.tls\.key}' | base64 --decode 

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCeoe0vF+Y6bEZI
H9TCsTllNWHmU0PVqs5HRQNlwPWCuhri5CGIOTnJI1qY+oRfy4XgGGgBlE3pIeQl
hkqhucrAp1XkASlQwko0P31Bp+aAsG4sU9PpBpFba0IDuy9NVZ8JyogKPZbs/vXy
1a9lQJviJoZhy75Ip21Wo5nwTkyHmP4qYdGumN28H83x2ZarNkhmTt9F0VfcbSRB
JK+VknpqGWIOEz8HHAG+FNpEYw1EUk/mVaCdJFWw558WApZXZ/o77tBKwaVTE6ak
ztRPhvNkvVydtNhrCImmif0QMq2HFPJQkmoF/2ndeEg3jPwk1kjN0dNQcHCQj8PR
9NMGIsQrAgMBAAECggEADI1/uVRI0aKzxQ1PxsBDbHDW+GTqX0QO4rDhXfHw+5FC
g2XOCXuNyQ7VInngc7wlMeB8inNz3tjhtt5zlWygULJtJ4e3/z4ApTXI8aMZqGFN
tpBDmpL8eaF5LdZoHdSCq0GtljHdeY+LYtXp9TcxnqmxxJdczV8CVfLIQa3QfIJM
5BrPIBkYUroDJn5uEUcL0wFnGIUCM2Ugu6zTMIQ5SfnFROcE7Q2oHA9MHPBUq59d
xHPhsm2+qTW1TALofoKWJwjk076ZYWT8Xq0rwIeqsahrjSZ81XZ+RrNQYtFI+6C6
Wv+JQxgdDTRxMkgg7DSkxsUiM+A6C2fy379sA89dkQKBgQDNwCGZY80LSCxsjWnw
43X5psYZTXDWb+eB5T1P4UMxlGVzk9FPmyvSX6E0Rr5q96oH+BsCdZUpoEVuohZB
556J/iEz8VbHh/IXVd3ton7jdhxW274nvmhsJXZz4N2ndA2QyvHtePd3CATA5D7D
GKgz8NyYvAdu5LZJsEtiZEUNbQKBgQDFX+Y384Kk8sx86YqSivqZ4IwgA23lnL

In [42]:
kubectl get secret wildcard.tls -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -noout -text 

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            6f:51:b9:22:d1:d1:2f:14:54:a2:14:c8:d6:d7:ab:7a:19:04:0a:5f
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = DE, L = Berlin, O = nip.io, OU = K8S Demo Department, CN = *.192.168.49.2.nip.io, emailAddress = nowhere@192.168.49.2.nip.io
        Validity
            Not Before: Jan 19 10:56:10 2022 GMT
            Not After : Feb 18 10:56:10 2022 GMT
        Subject: C = DE, L = Berlin, O = nip.io, OU = K8S Demo Department, CN = *.192.168.49.2.nip.io, emailAddress = nowhere@192.168.49.2.nip.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9e:a1:ed:2f:17:e6:3a:6c:46:48:1f:d4:c2:b1:
                    39:65:35:61:e6:53:43:d5:aa:ce:47:45:03:65:c0:
                    f5:82:ba:1a:e2:e4:21:88:39:39:c9:23:5a:98:fa:
                    84:5f:cb:85:e0:18:68:01:94:4d:e

In [43]:
kubectl apply -f $SECRET

secret/wildcard.tls configured


In [44]:
cd ..

In [45]:
pwd

/minikube-host/notebooks/training-kubernetes-security


In [46]:
kubectl delete ingress example-ingress

ingress.networking.k8s.io "example-ingress" deleted


In [47]:
kubectl get ingress

No resources found in default namespace.


In [48]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: website
spec:
  tls:
    - hosts:
      - demo.$DOMAIN
      - info.$DOMAIN
      secretName: wildcard.tls
  rules:
  - host: info.$DOMAIN
    http:
      paths:
      - path: /web
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 8080
      - path: /web/v2
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
  - host: demo.$DOMAIN
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
EOF

ingress.networking.k8s.io/website created


In [49]:
curl -k https://info.$DOMAIN/web
curl -k https://info.$DOMAIN/web/v2
curl -k https://demo.$DOMAIN/


<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-fvrz9
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-fvrz9


In [50]:
kubectl get ingress

NAME      CLASS   HOSTS                                               ADDRESS   PORTS     AGE
website   nginx   info.192.168.49.2.nip.io,demo.192.168.49.2.nip.io             80, 443   7s


In [None]:
kubectl delete ingress website

In [None]:
ls