**This notebook covered by the following [license](License.ipynb)  This note must not be removed**

# Ingress

- [Must be enabled](IngressStart.ipynb)
- [Service Networking Concept](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- Implemented by an [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)
- Implementation dependent [Overview by Yitaek Hwang](https://medium.com/swlh/kubernetes-ingress-controller-overview-81abbaca19ec)
- Can include [External Oauth 2 ](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/)
- Most popular [NGinx Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/)

In [1]:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0

deployment.apps/web created


In [2]:
kubectl expose deployment web --type=NodePort --port=8080

service/web exposed


In [3]:
kubectl get service web 

NAME   TYPE       CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
web    NodePort   10.105.107.125   <none>        8080:32664/TCP   4s


In [4]:
NODEPORT=$(kubectl get service web  -o jsonpath='{.spec.ports[0].nodePort}')
echo $NODEPORT

32664


In [6]:
curl $(hostname -i):$NODEPORT

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-ck28l


In [7]:
kubectl get all 

NAME                       READY   STATUS    RESTARTS   AGE
pod/web-79d88c97d6-ck28l   1/1     Running   0          41s

NAME                 TYPE           CLUSTER-IP       EXTERNAL-IP      PORT(S)          AGE
service/kubernetes   ClusterIP      10.96.0.1        <none>           443/TCP          24h
service/my-nginx     LoadBalancer   10.105.208.150   10.105.208.150   80:32335/TCP     24h
service/web          NodePort       10.105.107.125   <none>           8080:32664/TCP   39s

NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/web   1/1     1            1           41s

NAME                             DESIRED   CURRENT   READY   AGE
replicaset.apps/web-79d88c97d6   1         1         1       41s


In [8]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
EOF

ingress.networking.k8s.io/example-ingress created


In [9]:
kubectl get ingress example-ingress -o yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"example-ingress","namespace":"default"},"spec":{"rules":[{"host":"192.168.49.2.nip.io","http":{"paths":[{"backend":{"service":{"name":"web","port":{"number":8080}}},"path":"/","pathType":"Prefix"}]}}]}}
    nginx.ingress.kubernetes.io/rewrite-target: /
  creationTimestamp: "2021-12-15T11:04:23Z"
  generation: 1
  name: example-ingress
  namespace: default
  resourceVersion: "62171"
  uid: a097e841-dc31-4299-9f49-edb0a43f5abf
spec:
  ingressClassName: nginx
  rules:
  - host: 192.168.49.2.nip.io
    http:
      paths:
      - backend:
          service:
            name: web
            port:
              number: 8080
        path: /
        pathType: Prefix
status:
  loadBalancer: {}


In [10]:
kubectl describe ingress example-ingress

Name:             example-ingress
Namespace:        default
Address:          
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  192.168.49.2.nip.io  
                       /   web:8080 (172.17.0.4:8080)
Annotations:           nginx.ingress.kubernetes.io/rewrite-target: /
Events:
  Type    Reason  Age   From                      Message
  ----    ------  ----  ----                      -------
  Normal  Sync    18s   nginx-ingress-controller  Scheduled for sync


In [11]:
INGRESS_HOST=$(kubectl get ingress example-ingress -o jsonpath='{.spec.rules[0].host}')
echo $INGRESS_HOST

192.168.49.2.nip.io


In [12]:
curl $INGRESS_HOST/helloweb

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-ck28l


In [13]:
curl -vvvvv $INGRESS_HOST/helloweb

* Uses proxy env variable NO_PROXY == 'control-plane.minikube.internal'
*   Trying 192.168.49.2:80...
* TCP_NODELAY set
* Connected to 192.168.49.2.nip.io (192.168.49.2) port 80 (#0)
> GET /helloweb HTTP/1.1
> Host: 192.168.49.2.nip.io
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Wed, 15 Dec 2021 11:13:01 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 60
< Connection: keep-alive
< 
Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-ck28l
* Connection #0 to host 192.168.49.2.nip.io left intact


In [15]:
curl -vvvv $(hostname -i)

* Uses proxy env variable NO_PROXY == 'control-plane.minikube.internal'
*   Trying 192.168.49.2:80...
* TCP_NODELAY set
* Connected to 192.168.49.2 (192.168.49.2) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.49.2
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Wed, 15 Dec 2021 11:14:17 GMT
< Content-Type: text/html
< Content-Length: 146
< Connection: keep-alive
< 
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host 192.168.49.2 left intact


In [17]:
kubectl get pods -n ingress-nginx

NAME                                        READY   STATUS      RESTARTS   AGE
ingress-nginx-admission-create--1-vrvdm     0/1     Completed   0          16m
ingress-nginx-admission-patch--1-vxl8l      0/1     Completed   1          16m
ingress-nginx-controller-69bdbc4d57-s6nw5   1/1     Running     0          16m


In [19]:
kubectl logs -n ingress-nginx ingress-nginx-controller-69bdbc4d57-s6nw5

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.0.0-beta.1
  Build:         a091b01f436b4ab4f3d04264df93962432a02450
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.20.1

-------------------------------------------------------------------------------

W1215 10:59:50.165877       7 client_config.go:615] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
I1215 10:59:50.166848       7 main.go:221] "Creating API client" host="https://10.96.0.1:443"
I1215 10:59:50.209476       7 main.go:265] "Running in Kubernetes cluster" major="1" minor="22" git="v1.22.2" state="clean" commit="8b5a19147530eaac9476b0ab82980b4088bbc1b2" platform="linux/amd64"
I1215 10:59:50.472760       7 main.go:104] "SSL fake certificate created" file="/etc/ingress-controller/ssl/default-fake-certificate.pem"
I1215 10:59:50.488507       7 ssl.go:531] "loading tl

## Create **more** services
We can say hello world in different ways

In [20]:
kubectl create deployment web2 --image=gcr.io/google-samples/hello-app:2.0


deployment.apps/web2 created


In [21]:
kubectl expose deployment web2 --port=8080 --type=NodePort


service/web2 exposed


In [22]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
          - path: /v2
            pathType: Prefix
            backend:
              service:
                name: web2
                port:
                 number: 8080
EOF

ingress.networking.k8s.io/example-ingress configured


In [23]:
curl $INGRESS_HOST/v2

Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-jd6r5


In [None]:
kubectl get all

## TLS

In [24]:
mkdir -p openssl
cd openssl

In [25]:
DOMAIN=$INGRESS_HOST
CONF=${DOMAIN}.conf
SECRET=${DOMAIN}.yaml
KEY=${DOMAIN}.key
CRT=${DOMAIN}.crt

echo $DOMAIN

192.168.49.2.nip.io


In [26]:
pwd

/minikube-host/notebooks/training-kubernetes-security/openssl


In [29]:
rm *

In [30]:
test  ! -f ${CONF}  && cat > ${CONF}  <<EOF
[ req ]
default_bits       = 2048
default_md         = sha512
default_keyfile    = ${KEYFILE}
prompt             = no
encrypt_key        = no
distinguished_name = req_distinguished_name
# distinguished_name
[ req_distinguished_name ]
countryName            = DE
localityName           = Berlin
organizationName       = nip.io
organizationalUnitName = K8S Demo Department
commonName             = *.${DOMAIN}
emailAddress           = nowhere@${DOMAIN}


EOF

In [31]:
echo $KEY $CONF $CRT

test  ! -f ${KEY} && openssl req -config ${CONF} -newkey rsa:2048 -nodes -keyout ${KEY} -x509 -out ${CRT}

192.168.49.2.nip.io.key 192.168.49.2.nip.io.conf 192.168.49.2.nip.io.crt
Generating a RSA private key
........+++++
..................................+++++
writing new private key to '192.168.49.2.nip.io.key'
-----


In [32]:
ls

192.168.49.2.nip.io.conf  192.168.49.2.nip.io.crt  192.168.49.2.nip.io.key


In [33]:
cat ${CRT}

-----BEGIN CERTIFICATE-----
MIIDuzCCAqMCFGywJ0sjX7Xj5qSO7AT3hlt5ePFtMA0GCSqGSIb3DQEBDQUAMIGZ
MQswCQYDVQQGEwJERTEPMA0GA1UEBwwGQmVybGluMQ8wDQYDVQQKDAZuaXAuaW8x
HDAaBgNVBAsME0s4UyBEZW1vIERlcGFydG1lbnQxHjAcBgNVBAMMFSouMTkyLjE2
OC40OS4yLm5pcC5pbzEqMCgGCSqGSIb3DQEJARYbbm93aGVyZUAxOTIuMTY4LjQ5
LjIubmlwLmlvMB4XDTIxMTIxNTEyNTQwNVoXDTIyMDExNDEyNTQwNVowgZkxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xDzANBgNVBAoMBm5pcC5pbzEcMBoG
A1UECwwTSzhTIERlbW8gRGVwYXJ0bWVudDEeMBwGA1UEAwwVKi4xOTIuMTY4LjQ5
LjIubmlwLmlvMSowKAYJKoZIhvcNAQkBFhtub3doZXJlQDE5Mi4xNjguNDkuMi5u
aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxQiSb8B5eWh+S
zX8YrC1GxJz2qhiOtRwTsMtTedTvbZT7jeBR+nhHboyx/BrgGsLA0mIZHZGZhoSR
tr0j+04EwmpsgL4RXY0qa/1AO0bIVecqH+Qfj3Tst7kyd49rIsN6zNGkr6j2EHDe
7aBTScx0/ve73uqiqSdtBdkq+OwwxAjZkyUDjbBhIr1DoyUdyf/dORtzRgKOpWEV
kzG7h0RCZBYe01klcdN06xRBA2YXgr3zxQuJQpx9V3Ivs3l9VdpkGXneA+FPHG1h
EJAXn8X1O+yHQqWv1e165nAVU3ilriUU+GEsk+SctbOX8ESKPW1Wk50Ba3itvIuG
IeqeSUoRAgMBAAEwDQYJKoZIhvcNAQENBQADggEBAOljm460oGvujQlhCpM0sq

In [34]:
cat ${KEY}

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDxQiSb8B5eWh+S
zX8YrC1GxJz2qhiOtRwTsMtTedTvbZT7jeBR+nhHboyx/BrgGsLA0mIZHZGZhoSR
tr0j+04EwmpsgL4RXY0qa/1AO0bIVecqH+Qfj3Tst7kyd49rIsN6zNGkr6j2EHDe
7aBTScx0/ve73uqiqSdtBdkq+OwwxAjZkyUDjbBhIr1DoyUdyf/dORtzRgKOpWEV
kzG7h0RCZBYe01klcdN06xRBA2YXgr3zxQuJQpx9V3Ivs3l9VdpkGXneA+FPHG1h
EJAXn8X1O+yHQqWv1e165nAVU3ilriUU+GEsk+SctbOX8ESKPW1Wk50Ba3itvIuG
IeqeSUoRAgMBAAECggEAHD4Z+wdJBtKWD6Fu13yQcFBj75xJ86rP9p4jr0n722uA
nVImiHJB0lrmrY9Nth5r3hbC1R3ZBZfxvP0fdy7cG0KHItyPY4kIFYc+xl4qExm7
TfsdwXQRxARd8cJ9T5VqPN3tTNIjfWq/S9mVgyqIfMm8Ron5/cC/lMuyeI1bWPnf
v55SNq46QE8DZ7/De9Wgm8M40puoBTnfJFpRQ4ZSti8jly6OmtED6H7eOHc34VoH
fk1MZI/0NDxeCJIOawseUAIWfTP03tpJICZqLz+snlijFyE185nbgEXKSAvF0FMP
zEsQzmI8TwMwAZnB7cHu7POJz/UgDRhncr+askm6YQKBgQD5Qx153rWsE7YQpvU9
zyxYrd3iW7/McOMnNyWuIIRyWN8fxy4V6+/4LOLXLHDqhuG20YlwHJenF5tfAYMV
oO0h8a8rSJfmWaYvdGhfK5JI+YEEfjCSAoa4PYBa6npTrlqKcWCvBCdL0R4XbwjW
PS9VHW9rL/rO30x4UnQlxb+7OwKBgQD3x6RSnkn4mxAv/Xl5eQXhVSJ6TH8u4R

In [35]:
test ! -f ${SECRET} && cat > ${SECRET}<<EOF
apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: `cat ${CRT} | base64 -w0`
 tls.key: `cat ${KEY} | base64 -w0`
EOF


In [38]:
kubectl create -f ${SECRET}

secret/wildcard.tls created


In [36]:
cat $SECRET

apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1ekNDQXFNQ0ZHeXdKMHNqWDdYajVxU083QVQzaGx0NWVQRnRNQTBHQ1NxR1NJYjNEUUVCRFFVQU1JR1oKTVFzd0NRWURWUVFHRXdKRVJURVBNQTBHQTFVRUJ3d0dRbVZ5YkdsdU1ROHdEUVlEVlFRS0RBWnVhWEF1YVc4eApIREFhQmdOVkJBc01FMHM0VXlCRVpXMXZJRVJsY0dGeWRHMWxiblF4SGpBY0JnTlZCQU1NRlNvdU1Ua3lMakUyCk9DNDBPUzR5TG01cGNDNXBiekVxTUNnR0NTcUdTSWIzRFFFSkFSWWJibTkzYUdWeVpVQXhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TUI0WERUSXhNVEl4TlRFeU5UUXdOVm9YRFRJeU1ERXhOREV5TlRRd05Wb3dnWmt4Q3pBSgpCZ05WQkFZVEFrUkZNUTh3RFFZRFZRUUhEQVpDWlhKc2FXNHhEekFOQmdOVkJBb01CbTVwY0M1cGJ6RWNNQm9HCkExVUVDd3dUU3poVElFUmxiVzhnUkdWd1lYSjBiV1Z1ZERFZU1Cd0dBMVVFQXd3VktpNHhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TVNvd0tBWUpLb1pJaHZjTkFRa0JGaHR1YjNkb1pYSmxRREU1TWk0eE5qZ3VORGt1TWk1dQphWEF1YVc4d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUR4UWlTYjhCNWVXaCtTCnpYOFlyQzFHeEp6MnFoaU90UndUc010VGVkVHZiWlQ3amVCUituaEhib3l4L0JyZ0

In [42]:
kubectl get secret wildcard.tls -o jsonpath='{.data.tls\.key}' | base64 --decode 

unable to load certificate
140591494800704:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE


: 1

In [43]:
kubectl get secret wildcard.tls -o jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -noout -text 

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            6c:b0:27:4b:23:5f:b5:e3:e6:a4:8e:ec:04:f7:86:5b:79:78:f1:6d
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = DE, L = Berlin, O = nip.io, OU = K8S Demo Department, CN = *.192.168.49.2.nip.io, emailAddress = nowhere@192.168.49.2.nip.io
        Validity
            Not Before: Dec 15 12:54:05 2021 GMT
            Not After : Jan 14 12:54:05 2022 GMT
        Subject: C = DE, L = Berlin, O = nip.io, OU = K8S Demo Department, CN = *.192.168.49.2.nip.io, emailAddress = nowhere@192.168.49.2.nip.io
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f1:42:24:9b:f0:1e:5e:5a:1f:92:cd:7f:18:ac:
                    2d:46:c4:9c:f6:aa:18:8e:b5:1c:13:b0:cb:53:79:
                    d4:ef:6d:94:fb:8d:e0:51:fa:78:47:6e:8c:b1:fc:
                    1a:e0:1a:c2:c0:d2:62:19:1d:91:9

In [None]:
kubectl apply -f $SECRET

In [44]:
cd ..

In [45]:
pwd

/minikube-host/notebooks/training-kubernetes-security


In [46]:
kubectl delete ingress example-ingress

ingress.networking.k8s.io "example-ingress" deleted


In [47]:
kubectl get ingress

No resources found in default namespace.


In [48]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: website
spec:
  tls:
    - hosts:
      - demo.$DOMAIN
      - info.$DOMAIN
      secretName: wildcard.tls
  rules:
  - host: info.$DOMAIN
    http:
      paths:
      - path: /web
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 8080
      - path: /web/v2
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
  - host: demo.$DOMAIN
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
EOF

ingress.networking.k8s.io/website created


In [49]:
curl -k https://info.$DOMAIN/web
curl -k https://info.$DOMAIN/web/v2
curl -k https://demo.$DOMAIN/


Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-ck28l
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-jd6r5
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-jd6r5


In [None]:
kubectl get ingress

In [None]:
kubectl delete ingress website

In [None]:
ls