arrow_back

NGINX Ingress Controller on Google Kubernetes Engine

Partecipa Accedi

NGINX Ingress Controller on Google Kubernetes Engine

1 ora 5 crediti

GSP181

Google Cloud self-paced labs logo

Overview

In Kubernetes, Ingress allows external users and client applications access to HTTP services. Ingress consists of two components: an Ingress Resource and an Ingress Controller:

  • Ingress Resource is a collection of rules for the inbound traffic to reach Services. These are Layer 7 (L7) rules that allow hostnames (and optionally paths) to be directed to specific Services in Kubernetes.
  • Ingress Controller acts upon the rules set by the Ingress Resource, typically via an HTTP or L7 load balancer. It is vital that both pieces are properly configured so that traffic can be routed from an outside client to a Kubernetes Service.

NGINX—a high performance web server—is a popular choice for an Ingress Controller because of its robustness and the many features it boasts. For example, it supports:

  • Websockets, which allows you to load balance Websocket applications.
  • SSL Services, which allows you to load balance HTTPS applications.
  • Rewrites, which allows you to rewrite the URI of a request before sending it to the application.
  • Session Persistence (NGINX Plus only), which guarantees that all the requests from the same client are always passed to the same backend container.
  • JWTs (NGINX Plus only), which allows NGINX Plus to authenticate requests by validating JSON Web Tokens (JWTs).

The following diagram illustrates the basic flow of an Ingress Controller in Google Cloud and gives you a rough idea of what you'll be building:

The Ingress Controller diagram, which flows from User > Ingress Controller > Service: app, and the Ingress Controller > Ingress Resources.

Objectives

In this lab, you will configure a Kubernetes deployment with an Ingress Resource. You will use NGINX as an Ingress Controller, which you will use to route and load balance traffic from external clients to the deployment. More specifically, you will:

  • Deploy a simple Kubernetes web application.
  • Deploy an NGINX Ingress Controller using a stable Helm Chart.
  • Deploy an Ingress Resource for the application that uses NGINX Ingress as the controller.
  • Test NGINX Ingress functionality by accessing the Google Cloud L4 (TCP/UDP) Load Balancer frontend IP and ensure it can access the web application.

Prerequisites

This is an advanced level lab. Experience with Kubernetes and/or containerized applications is suggested. Familiarity with NGINX and Helm is recommended, but not required. If you are looking to get up to speed in these services, be sure to check out the following labs:

Once you're ready, scroll down to get your lab environment set up.

Setup

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

  1. Click Activate Cloud Shell Activate Cloud Shell icon at the top of the Google Cloud console.

  2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

Your Cloud Platform project in this session is set to YOUR_PROJECT_ID

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  1. (Optional) You can list the active account name with this command:

gcloud auth list

Output:

ACTIVE: * ACCOUNT: student-01-xxxxxxxxxxxx@qwiklabs.net To set the active account, run: $ gcloud config set account `ACCOUNT`
  1. (Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core] project = <project_ID>

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Understanding Regions and Zones

Certain Compute Engine resources live in regions or zones. A region is a specific geographical location where you can run your resources. Each region has one or more zones. For example, the us-central1 region denotes a region in the Central United States that has zones us-central1-a, us-central1-b, us-central1-c, and us-central1-f.

Regions Zones
Western US us-west1-a, us-west1-b
Central US us-central1-a, us-central1-b, us-central1-d, us-central1-f
Eastern US us-east1-b, us-east1-c, us-east1-d
Western Europe europe-west1-b, europe-west1-c, europe-west1-d
Eastern Asia asia-east1-a, asia-east1-b, asia-east1-c

Resources that live in a zone are referred to as zonal resources. Virtual machine Instances and persistent disks live in a zone. To attach a persistent disk to a virtual machine instance, both resources must be in the same zone. Similarly, if you want to assign a static IP address to an instance, the instance must be in the same region as the static IP.

Learn more about regions and zones and see a complete list in the Compute Engine page, Regions and zones documentation).

Task 1. Set a zone

Before creating a Kubernetes cluster, you'll have to set a default computing zone for our Google Cloud project.

  1. Run the following command to see a list of Google Cloud zones:

gcloud compute zones list
  1. Now run the following command to set your zone (in this case to ):
gcloud config set compute/zone {{{project_0.default_zone}}}

Task 2. Create a Kubernetes cluster

Now that the zone is configured, deploy a Kubernetes Engine cluster.

  • Run the following command to create a cluster named nginx-tutorial that's made up of two nodes (or worker machines):

gcloud container clusters create nginx-tutorial \ --machine-type e2-small \ --num-nodes 2

It will take a few minutes for this command to complete. Continue when you get a similar output in Cloud Shell:

Image of Cloud shell displaying output result

Test completed task

Click Check my progress to verify your performed task. If you have successfully created Kubernetes cluster, you will see an assessment score.

Create a Kubernetes cluster

Task 3. Install Helm

Now that you have your Kubernetes cluster up and running, you will use Helm to add the NGINX Ingress Controller. Helm is a tool that streamlines Kubernetes application installation and management. You can think of it like apt, yum, or homebrew for Kubernetes. Helm Charts are maintained by the Kubernetes community.

  1. Run helm version in Cloud Shell to check which version you are using and also ensure that Helm is installed:

helm version
  1. Add the chart repository and ensure the chart list is up to date:

helm repo add nginx-stable https://helm.nginx.com/stable helm repo update

Task 4. Deploy an application in Kubernetes Engine

Now that you have Helm configured, deploy a simple web-based application from the Google Cloud Repository. This application will be used as the backend for the Ingress.

  1. From the Cloud Shell, run the following command:

kubectl create deployment hello-app --image=gcr.io/google-samples/hello-app:1.0

Your output should resemble the following:

deployment.apps/hello-app created

Test completed task

Click Check my progress to verify your performed task. If you have successfully deployed an application in Kubernetes Engine, you will see an assessment score.

Deploy an application in Kubernetes Engine
  1. Now expose the hello-app Deployment as a Service by running the following command:

kubectl expose deployment hello-app --port=8080

Your output should resemble the following:

service/hello-app exposed

Test completed task

Click Check my progress to verify your performed task. If you have successfully exposed the created deployment as a service, you will see an assessment score.

Expose the created deployment as a service

Task 5. Deploying the NGINX Ingress controller via Helm

The Kubernetes platform gives administrators flexibility when it comes to Ingress Controllers—you can integrate your own rather than having to work with your provider's built-in offering. The NGINX controller must be exposed for external access. This is done using Service type: LoadBalancer on the NGINX controller service. On Kubernetes Engine, this creates a Google Cloud Network (TCP/IP) Load Balancer with NGINX controller Service as a backend. Google Cloud also creates the appropriate firewall rules within the Service's VPC to allow web HTTP(S) traffic to the load balancer frontend IP address.

NGINX Ingress controller on Kubernetes Engine

The following flowchart is a visual representation of how an NGINX controller runs on a Kubernetes Engine cluster:

A diagram depicting the different phases of an NGINX controllwer running on a Kubernetes Engine cluster.

Deploy NGINX Ingress Controller

  1. Now that you have the bigger picture in mind, go ahead and deploy the NGINX Ingress Controller. Run the following command to do so:

helm install nginx-ingress nginx-stable/nginx-ingress --set rbac.create=true Note: Please ignore if any deprecation warning. kubectl get service

Wait a few moments while the Google Cloud L4 Load Balancer gets deployed.

  1. Confirm that the nginx-ingress-nginx-ingress Service has been deployed and that you have an external IP address associated with the service by running the following command:

kubectl get service nginx-ingress-nginx-ingress

You receive a similar output:

NAME TYPE CLUSTER-IP EXTERNAL-IP nginx-ingress-nginx-ingress LoadBalancer 10.7.248.226 35.226.162.176

Test completed task

Click Check my progress to verify your performed task. If you have successfully deployed the NGINX Ingress Controller via Helm, you will see an assessment score.

Deploy the NGINX Ingress Controller via Helm

Task 6. Configure Ingress Resource to use NGINX Ingress Controller

An Ingress Resource object is a collection of L7 rules for routing inbound traffic to Kubernetes Services. Multiple rules can be defined in one Ingress Resource or they can be split up into multiple Ingress Resource manifests. The Ingress Resource also determines which controller to utilize to serve traffic. This can be set with an annotation, kubernetes.io/ingress.class, in the metadata section of the Ingress Resource.

  1. For the NGINX controller, you will use the nginx value as shown below:

annotations: kubernetes.io/ingress.class: nginx
  1. On Kubernetes Engine, if no annotation is defined under the metadata section, the Ingress Resource uses the Google Cloud GCLB L7 load balancer to serve traffic. This method can also be forced by setting the annotation's value to gce, like below:

annotations: kubernetes.io/ingress.class: gce
  1. Create a simple Ingress Resource YAML file which uses the NGINX Ingress Controller and has one path rule defined by typing the following commands:

touch ingress-resource.yaml nano ingress-resource.yaml
  1. Add the following content in ingress-resource.yaml file:

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-resource annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false" spec: rules: - host: $NGINX_INGRESS_CONTROLLER_IP.nip.io http: paths: - path: /hello pathType: Prefix backend: service: name: hello-app port: number: 8080
  1. Then press Ctrl-X, then press Y, then press Enter to save the file.

The kind: Ingress dictates it is an Ingress Resource object. This Ingress Resource defines an inbound L7 rule for path /hello to service hello-app on port 8080.

  1. Get your NGINX Ingress Controller IP and store it in an environment variable:

export NGINX_INGRESS_CONTROLLER_IP=$(kubectl get services nginx-ingress-nginx-ingress --output jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $NGINX_INGRESS_CONTROLLER_IP envsubst '$NGINX_INGRESS_CONTROLLER_IP' < ingress-resource.yaml | tee ingress-resource.yaml
  1. Run the following command to apply your Ingress rules to your Kubernetes application:

kubectl apply -f ingress-resource.yaml
  1. Verify that Ingress Resource has been created:

kubectl get ingress ingress-resource Note: The IP address for the Ingress Resource will not be defined right away. Wait a few moments for the ADDRESS field to get populated.

Your output should resemble the following:

NAME HOSTS ADDRESS PORTS AGE ingress-resource * 80

Test Ingress and default backend

You should now be able to access the web application by going to the host address, EXTERNAL-IP.nip.io/hello, of the NGINX ingress nginx ingress (found by running kubectl get service nginx-ingress-nginx-ingress).

  1. Open a new tab and go to the following, replacing the [EXTERNAL-IP] with the external IP address of the NGINX ingress controller:

http://[EXTERNAL-IP].nip.io/hello

Your page should look similar to the following:

hello-world page, displaying Hello, World message, Version: 1.0.0, and Hostname: hello-app-7f66f95b44-f5srv

  1. To check if the default-backend service is working properly, access any path (other than the path /hello defined in the Ingress Resource) and ensure you receive a 404 message. For example:

http://external-ip-of-ingress-controller/test

Your page should look similar to the following:

Hello page displaying 404 Not Found error message

Congratulations!

Great work! In this lab you deployed a Kubernetes cluster with an NGINX Ingress Controller. You now have the experience and know-how to use Ingress Controllers in your own Kubernetes applications.

Finish your quest

This self-paced lab is part of the Kubernetes Solutions quest. A quest is a series of related labs that form a learning path. Completing this quest earns you a badge to recognize your achievement. You can make your badge or badges public and link to them in your online resume or social media account. Enroll in any quest that contains this lab and get immediate completion credit. See the Google Cloud Skills Boost catalog to see all available quests.

Take your next lab

Check out these labs:

Next steps / learn more

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated September 26, 2022

Lab Last Tested September 26, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.