Skip to main content
Version: 1.6

Exposing your Applications via Ingress

To allow traffic to your applications, you must set up an Ingress resource and network policy. Ingress exposes HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Network policies let you specify how a pod is allowed to communicate with various types of network entitities over the network.

This topic gives instructions for using Wayfinder to generate and apply a .yaml file that combines an Ingress resource and a network policy.

Generate an Ingress resource and network policy

Prerequisites

  • The workload you want to expose on an external domain is already running in a namespace on a cluster, using TLS.

  • The workload you want to expose already has a corresponding kubernetes service.

  • The external domain on which you want to expose the application has been configured in Wayfinder.

  • In your cluster's Capabilities tab, the nginx-ingress capability must be enabled:

    Ingress capability enabled

Example

The steps below generate an ingress.yaml file containing an Ingress resource and a network policy.

The example used in these steps assumes that your application:

  • is deployed into the namespace bob
  • has a myappservice kubernetes service that defines the 8443 https port
  • should be accessible on the app1.myproject.com publicly on the Internet
  • should have a valid TLS certificate from a trusted certificate provider

To generate an ingress.yaml file for an application:

  1. In the Wayfinder UI, navigate to Resources > Clusters, and then click the name of the cluster where your workload is running.

  2. Find and expand the namespace where the workload is running, click the Actions tab, and then click Ingress Resource Generator.

    note

    You can also access the Ingress Resource Generator from the Resources > DNS zones page. From there, click Expose application via ingress next to the DNS zone for your app, and then follow the steps below.

  3. Fill out the form in Step 1 of 4 as shown in this example:

    Ingress Generator

    The UI dynamically generates the corresponding ingress.yaml file in Step 2 of 4 on this form.

    Here's the ingress.yaml file generated in this example:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
    name: myappservice-ingress
    namespace: bob
    annotations:
    cert-manager.io/cluster-issuer: "prod-le-dns01"
    spec:
    ingressClassName: external
    rules:
    - host: app1.myproject.com
    http:
    paths:
    - backend:
    service:
    name: myappservice
    port:
    number: 8443
    path: /
    pathType: Prefix
    tls:
    - hosts:
    - app1.myproject.com
    secretName: myappservice-ingress-tls
    ---
    apiVersion: networking.k8s.io/v1
    kind: NetworkPolicy
    metadata:
    name: myappservice-ingress
    namespace: test
    spec:
    ingress:
    - ports:
    - protocol: TCP
    port: 8443
    from:
    - namespaceSelector:
    matchLabels:
    name: wf-ingress
    podSelector:
    matchLabels:
    name: "myapp"
    policyTypes:
    - Ingress
  4. Follow the UI instructions in Steps 3 and 4 on the Wayfinder CLI:

    1. Apply the ingress.yaml file.

      $ kubectl --context myworkspace.eks-development -n bob apply -f ingress.yaml
    2. Check that the service is exposed on the external domain.

      kubectl --context myworkspace.eks-development -n bob get ingress myappservice-ingress

Expose a service via HTTP01 Challenge

The above example assumes the domain is being managed via ExternalDNS, however, you may not have permissions to manage the domain records. In that case, you can use the HTTP01 challenge.

In the example below:

  • It is assumed that you've pointed the DNS record for the exposed service to the Ingress controller, or you have wildcarded the domain to the Ingress controller.
  • The ingress is almost identical to the managed DNS except that the cluster-issuer is prod-le-http01.
  • There is an additional NetworkPolicy allows-http01-resolver, which permits the cert-manager service to handle the challenge.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: allow-ingress
annotations:
kubernetes.io/ingress.class: external
cert-manager.io/cluster-issuer: prod-le-http01
spec:
tls:
- hosts:
- myapp.example.com
secretName: testsecret-tls
rules:
- host: myapp.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
---
# Allow the traffic from ingress namespace to service
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allows-ingress
spec:
podSelector:
matchLabels:
app: web
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress
ports:
- protocol: TCP
port: 8080
---
# Allow the traffic to the challenge resolver create the cert-manager
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allows-http01-resolver
spec:
podSelector:
matchLabels:
'acme.cert-manager.io/http01-solver': 'true'
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress
ports:
- protocol: TCP
port: 8089

Manually create an Ingress resource and network policy

If you wish, you can create separate .yaml files for the Ingress resource and the network policy (or combine into one file), and then apply these without using Wayfinder's generated file. For more information, see the Kubernetes documentation for:

Sample Ingress resource: You can see an example of the Ingress resource definition in the top part of the sample ingress.yaml file above (where kind is Ingress).

Sample network policy: You can see an example network policy in the lower part of the sample ingress.yaml file above (where kind is NetworkPolicy). See also Create Network Policies.