**This notebook covered by the following [license](License.ipynb)  This note must not be removed**

# Ingress

- [Must be enabled](IngressStart.ipynb)
- [Service Networking Concept](https://kubernetes.io/docs/concepts/services-networking/ingress/)
- Implemented by an [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/)
- Implementation dependent [Overview by Yitaek Hwang](https://medium.com/swlh/kubernetes-ingress-controller-overview-81abbaca19ec)
- Can include [External Oauth 2 ](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/)
- Most popular [NGinx Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/)

In [1]:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0

deployment.apps/web created


In [2]:
kubectl expose deployment web --type=NodePort --port=8080

service/web exposed


In [3]:
kubectl get service web 

NAME   TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
web    NodePort   10.109.89.52   <none>        8080:32752/TCP   5s


In [4]:
NODEPORT=$(kubectl get service web  -o jsonpath='{.spec.ports[0].nodePort}')
echo $NODEPORT

32752


In [9]:
curl $(hostname -i):$NODEPORT

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-w67s8


In [8]:
kubectl get all 

NAME                       READY   STATUS    RESTARTS   AGE
pod/web-79d88c97d6-w67s8   1/1     Running   0          81s

NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)          AGE
service/kubernetes     ClusterIP      10.96.0.1       <none>          443/TCP          23h
service/nginx-strict   LoadBalancer   10.108.215.42   10.108.215.42   80:31910/TCP     18h
service/web            NodePort       10.109.89.52    <none>          8080:32752/TCP   74s

NAME                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/web   1/1     1            1           81s

NAME                             DESIRED   CURRENT   READY   AGE
replicaset.apps/web-79d88c97d6   1         1         1       81s


In [10]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
EOF

ingress.networking.k8s.io/example-ingress created


In [11]:
kubectl get ingress example-ingress -o yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"nginx.ingress.kubernetes.io/rewrite-target":"/"},"name":"example-ingress","namespace":"default"},"spec":{"rules":[{"host":"192.168.49.2.nip.io","http":{"paths":[{"backend":{"service":{"name":"web","port":{"number":8080}}},"path":"/","pathType":"Prefix"}]}}]}}
    nginx.ingress.kubernetes.io/rewrite-target: /
  creationTimestamp: "2021-12-01T08:39:57Z"
  generation: 1
  name: example-ingress
  namespace: default
  resourceVersion: "60273"
  uid: a8c91031-8704-4787-949e-6e9c7fd1fce0
spec:
  ingressClassName: nginx
  rules:
  - host: 192.168.49.2.nip.io
    http:
      paths:
      - backend:
          service:
            name: web
            port:
              number: 8080
        path: /
        pathType: Prefix
status:
  loadBalancer: {}


In [13]:
kubectl describe ingress example-ingress

Name:             example-ingress
Namespace:        default
Address:          192.168.49.2
Default backend:  default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  192.168.49.2.nip.io  
                       /   web:8080 (172.17.0.3:8080)
Annotations:           nginx.ingress.kubernetes.io/rewrite-target: /
Events:
  Type    Reason  Age                From                      Message
  ----    ------  ----               ----                      -------
  Normal  Sync    46s (x2 over 57s)  nginx-ingress-controller  Scheduled for sync


In [14]:
INGRESS_HOST=$(kubectl get ingress example-ingress -o jsonpath='{.spec.rules[0].host}')
echo $INGRESS_HOST

192.168.49.2.nip.io


In [15]:
curl $INGRESS_HOST/helloweb

Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-w67s8


## Create **more** services
We can say hello world in different ways

In [16]:
kubectl create deployment web2 --image=gcr.io/google-samples/hello-app:2.0


deployment.apps/web2 created


In [17]:
kubectl expose deployment web2 --port=8080 --type=NodePort


service/web2 exposed


In [18]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: $(hostname -i).nip.io
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080
          - path: /v2
            pathType: Prefix
            backend:
              service:
                name: web2
                port:
                 number: 8080
EOF

ingress.networking.k8s.io/example-ingress configured


In [22]:
curl $INGRESS_HOST/v2

Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-kjqxc


In [21]:
kubectl get all

NAME                        READY   STATUS    RESTARTS   AGE
pod/web-79d88c97d6-w67s8    1/1     Running   0          6m17s
pod/web2-5d47994f45-kjqxc   1/1     Running   0          39s

NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)          AGE
service/kubernetes     ClusterIP      10.96.0.1       <none>          443/TCP          23h
service/nginx-strict   LoadBalancer   10.108.215.42   10.108.215.42   80:31910/TCP     18h
service/web            NodePort       10.109.89.52    <none>          8080:32752/TCP   6m10s
service/web2           NodePort       10.102.229.20   <none>          8080:31132/TCP   38s

NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/web    1/1     1            1           6m17s
deployment.apps/web2   1/1     1            1           39s

NAME                              DESIRED   CURRENT   READY   AGE
replicaset.apps/web-79d88c97d6    1         1         1       6m17s
replicaset.apps/web2-5d47994f45   1    

## TLS

In [23]:
mkdir -p openssl
cd openssl


In [24]:
DOMAIN=$INGRESS_HOST
CONF=${DOMAIN}.conf
SECRET=${DOMAIN}.yaml
KEY=${DOMAIN}.key
CRT=${DOMAIN}.crt

echo $DOMAIN

192.168.49.2.nip.io


In [25]:
pwd

/minikube-host/notebooks/training-kubernetes-security/openssl


In [26]:
ls

In [27]:
test  ! -f ${CONF}  && cat > ${CONF}  <<EOF
[ req ]
default_bits       = 2048
default_md         = sha512
default_keyfile    = ${KEYFILE}
prompt             = no
encrypt_key        = no
distinguished_name = req_distinguished_name
# distinguished_name
[ req_distinguished_name ]
countryName            = DE
localityName           = Berlin
organizationName       = nip.io
organizationalUnitName = K8S Demo Department
commonName             = *.${DOMAIN}
emailAddress           = nowhere@${DOMAIN}


EOF

In [28]:
echo $KEY $CONF $CRT

test  ! -f ${KEY} && openssl req -config ${CONF} -newkey rsa:2048 -nodes -keyout ${KEY} -x509 -out ${CRT}

192.168.49.2.nip.io.key 192.168.49.2.nip.io.conf 192.168.49.2.nip.io.crt
Generating a RSA private key
......................+++++
.................................................................................................................................................+++++
writing new private key to '192.168.49.2.nip.io.key'
-----


In [29]:
ls

192.168.49.2.nip.io.conf  192.168.49.2.nip.io.crt  192.168.49.2.nip.io.key


In [30]:
cat ${CRT}

-----BEGIN CERTIFICATE-----
MIIDuzCCAqMCFGggJgCR/238ZA4gaHHAXATKJZ8bMA0GCSqGSIb3DQEBDQUAMIGZ
MQswCQYDVQQGEwJERTEPMA0GA1UEBwwGQmVybGluMQ8wDQYDVQQKDAZuaXAuaW8x
HDAaBgNVBAsME0s4UyBEZW1vIERlcGFydG1lbnQxHjAcBgNVBAMMFSouMTkyLjE2
OC40OS4yLm5pcC5pbzEqMCgGCSqGSIb3DQEJARYbbm93aGVyZUAxOTIuMTY4LjQ5
LjIubmlwLmlvMB4XDTIxMTIwMTA4NDY0M1oXDTIxMTIzMTA4NDY0M1owgZkxCzAJ
BgNVBAYTAkRFMQ8wDQYDVQQHDAZCZXJsaW4xDzANBgNVBAoMBm5pcC5pbzEcMBoG
A1UECwwTSzhTIERlbW8gRGVwYXJ0bWVudDEeMBwGA1UEAwwVKi4xOTIuMTY4LjQ5
LjIubmlwLmlvMSowKAYJKoZIhvcNAQkBFhtub3doZXJlQDE5Mi4xNjguNDkuMi5u
aXAuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClx5qpK15icu7T
M3ZQg3VOLdh/qLK1JqRagNxEF5IuueqceFzY6kWioGJfllaWMGkag6jbBYMukoH4
nyun4f/1j8MDhmyrukhC2N997N4B+6fbwc1u6KKJ2T2DKIZBwoJBtLCUWVP80h/q
LOdTSbPJ/+USYJYsmR6ZJAJuvNPUZYI0d9zd5gjn9PhTGipHl//Q8tD/0DM7OTdG
lUqkRe+mpQg+KzjspR9MXnIsZosXsD2PbQnyLP1wd2GzK7LbyO6BEp8c8frufIgJ
5PtMgi236CE4YkNHD55AoSv51NRNBPEV84Im0wcYZgWgH19ZYoecl1NZMM24GT7w
T5aR64VxAgMBAAEwDQYJKoZIhvcNAQENBQADggEBADKAZjdzPtjmJpoZ7i7g1z

In [31]:
cat ${KEY}

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQClx5qpK15icu7T
M3ZQg3VOLdh/qLK1JqRagNxEF5IuueqceFzY6kWioGJfllaWMGkag6jbBYMukoH4
nyun4f/1j8MDhmyrukhC2N997N4B+6fbwc1u6KKJ2T2DKIZBwoJBtLCUWVP80h/q
LOdTSbPJ/+USYJYsmR6ZJAJuvNPUZYI0d9zd5gjn9PhTGipHl//Q8tD/0DM7OTdG
lUqkRe+mpQg+KzjspR9MXnIsZosXsD2PbQnyLP1wd2GzK7LbyO6BEp8c8frufIgJ
5PtMgi236CE4YkNHD55AoSv51NRNBPEV84Im0wcYZgWgH19ZYoecl1NZMM24GT7w
T5aR64VxAgMBAAECggEAIJvJjTsNnrnSxlJaFG43NcCI1Ft/g2htbavpJ6+nPm+t
eUeno7c5KUr47qpor7QoCGIbZbGI4zFIRXoxoR0wNsInbtsTJxhGPHfiRifAZ41z
sCNH4Gf8CLdlhRYEiozTCE+daCDGB3XhdzOL8PMPXU1rZpj/ERixTxgpLlUQKbfY
n6dJ+OFOsvtbp0gClZfbDZupRRYS+7LSZI+DzWefsXkC9PMt3o2dqM4M1rUofw16
/lN6NSjBSAj+VK3a6IbnyssZpdHVFoo1Joe15ehEXe0ImfwJ21+IXyqb+FVczGG3
/YwsZjF6CECzQ7SlmWxKW4v44dioPe0Isi+LSX2GUQKBgQDZ52IPGe3UWLXYK2lj
wb42U778HRd9JFe/3aOCdVdmRPNdcN3AZ8PnKrVKfF49we2nHv/9OFKnASdvzLsr
4vL2M9JkdjpfkYpkkszkRzRa3fOaiPr+yxO+l7vn/G19ftbkGFuMc+2AuI4fWTwM
sf0CQqKxUicwd6dGqKn/IX2SRQKBgQDCw1OIS8dIEzUQflxwEMEhIv1SUaVjJM

In [32]:
test ! -f ${SECRET} && cat > ${SECRET}<<EOF
apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: `cat ${CRT} | base64 -w0`
 tls.key: `cat ${KEY} | base64 -w0`
EOF


In [33]:
cat $SECRET

apiVersion: v1
kind: Secret
metadata:
 name: wildcard.tls
 namespace: default
type: kubernetes.io/tls
data:
 tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR1ekNDQXFNQ0ZHZ2dKZ0NSLzIzOFpBNGdhSEhBWEFUS0paOGJNQTBHQ1NxR1NJYjNEUUVCRFFVQU1JR1oKTVFzd0NRWURWUVFHRXdKRVJURVBNQTBHQTFVRUJ3d0dRbVZ5YkdsdU1ROHdEUVlEVlFRS0RBWnVhWEF1YVc4eApIREFhQmdOVkJBc01FMHM0VXlCRVpXMXZJRVJsY0dGeWRHMWxiblF4SGpBY0JnTlZCQU1NRlNvdU1Ua3lMakUyCk9DNDBPUzR5TG01cGNDNXBiekVxTUNnR0NTcUdTSWIzRFFFSkFSWWJibTkzYUdWeVpVQXhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TUI0WERUSXhNVEl3TVRBNE5EWTBNMW9YRFRJeE1USXpNVEE0TkRZME0xb3dnWmt4Q3pBSgpCZ05WQkFZVEFrUkZNUTh3RFFZRFZRUUhEQVpDWlhKc2FXNHhEekFOQmdOVkJBb01CbTVwY0M1cGJ6RWNNQm9HCkExVUVDd3dUU3poVElFUmxiVzhnUkdWd1lYSjBiV1Z1ZERFZU1Cd0dBMVVFQXd3VktpNHhPVEl1TVRZNExqUTUKTGpJdWJtbHdMbWx2TVNvd0tBWUpLb1pJaHZjTkFRa0JGaHR1YjNkb1pYSmxRREU1TWk0eE5qZ3VORGt1TWk1dQphWEF1YVc4d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNseDVxcEsxNWljdTdUCk0zWlFnM1ZPTGRoL3FMSzFKcVJhZ054RUY1SXV1ZXFjZUZ6WTZrV2lvR0pmbGxhV0

In [39]:
kubectl get secret wildcard.tls -o jsonpath='{.data.tls\.key}' | base64 --decode

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQClx5qpK15icu7T
M3ZQg3VOLdh/qLK1JqRagNxEF5IuueqceFzY6kWioGJfllaWMGkag6jbBYMukoH4
nyun4f/1j8MDhmyrukhC2N997N4B+6fbwc1u6KKJ2T2DKIZBwoJBtLCUWVP80h/q
LOdTSbPJ/+USYJYsmR6ZJAJuvNPUZYI0d9zd5gjn9PhTGipHl//Q8tD/0DM7OTdG
lUqkRe+mpQg+KzjspR9MXnIsZosXsD2PbQnyLP1wd2GzK7LbyO6BEp8c8frufIgJ
5PtMgi236CE4YkNHD55AoSv51NRNBPEV84Im0wcYZgWgH19ZYoecl1NZMM24GT7w
T5aR64VxAgMBAAECggEAIJvJjTsNnrnSxlJaFG43NcCI1Ft/g2htbavpJ6+nPm+t
eUeno7c5KUr47qpor7QoCGIbZbGI4zFIRXoxoR0wNsInbtsTJxhGPHfiRifAZ41z
sCNH4Gf8CLdlhRYEiozTCE+daCDGB3XhdzOL8PMPXU1rZpj/ERixTxgpLlUQKbfY
n6dJ+OFOsvtbp0gClZfbDZupRRYS+7LSZI+DzWefsXkC9PMt3o2dqM4M1rUofw16
/lN6NSjBSAj+VK3a6IbnyssZpdHVFoo1Joe15ehEXe0ImfwJ21+IXyqb+FVczGG3
/YwsZjF6CECzQ7SlmWxKW4v44dioPe0Isi+LSX2GUQKBgQDZ52IPGe3UWLXYK2lj
wb42U778HRd9JFe/3aOCdVdmRPNdcN3AZ8PnKrVKfF49we2nHv/9OFKnASdvzLsr
4vL2M9JkdjpfkYpkkszkRzRa3fOaiPr+yxO+l7vn/G19ftbkGFuMc+2AuI4fWTwM
sf0CQqKxUicwd6dGqKn/IX2SRQKBgQDCw1OIS8dIEzUQflxwEMEhIv1SUaVjJM

In [34]:
kubectl apply -f $SECRET

secret/wildcard.tls created


In [None]:
cd ..

In [None]:
pwd

In [40]:
kubectl delete ingress example-ingress

ingress.networking.k8s.io "example-ingress" deleted


In [41]:
kubectl get ingress

No resources found in default namespace.


In [42]:
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: website
spec:
  tls:
    - hosts:
      - demo.$DOMAIN
      - info.$DOMAIN
      secretName: wildcard.tls
  rules:
  - host: info.$DOMAIN
    http:
      paths:
      - path: /web
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 8080
      - path: /web/v2
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
  - host: demo.$DOMAIN
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web2
            port:
              number: 8080
EOF

ingress.networking.k8s.io/website created


In [43]:
curl -k https://info.$DOMAIN/web
curl -k https://info.$DOMAIN/web/v2
curl -k https://demo.$DOMAIN/


Hello, world!
Version: 1.0.0
Hostname: web-79d88c97d6-w67s8
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-kjqxc
Hello, world!
Version: 2.0.0
Hostname: web2-5d47994f45-kjqxc


In [44]:
kubectl get ingress

NAME      CLASS   HOSTS                                               ADDRESS        PORTS     AGE
website   nginx   info.192.168.49.2.nip.io,demo.192.168.49.2.nip.io   192.168.49.2   80, 443   9m35s


In [45]:
kubectl delete ingress website

ingress.networking.k8s.io "website" deleted


In [None]:
ls