8.3 Installing the NGINX Controller

To install the NGINX controller:
  1. Navigate to the $WORKDIR/kubernetes/helm14c/ and create a nginx-ingress-values-override.yaml that contains the following:

    Note:

    The configuration below:
    • Assumes that you have oud-ds-rs installed with value oud-ds-rs as a deployment/release name in the namespace oudns. If using a different deployment name and/or namespace change appropriately.
    • Deploys an ingress using LoadBalancer. If you prefer to use NodePort, change the configuration accordingly. For more details about NGINX configuration see: NGINX Ingress Controller.
    # Configuration for additional TCP ports to be exposed through Ingress
    # Format for each port would be like:
    # <PortNumber>: <Namespace>/<Service>
    tcp:
      # Map 1389 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAP Port
      1389: oudns/oud-ds-rs-lbr-ldap:ldap
      # Map 1636 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAPS Port
      1636: oudns/oud-ds-rs-lbr-ldap:ldaps
    controller:
      admissionWebhooks:
        enabled: false
      extraArgs:
        # The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server.
        # If this flag is not provided NGINX will use a self-signed certificate.
        # If the TLS Secret is in different namespace, name can be mentioned as <namespace>/<tlsSecretName>
        default-ssl-certificate: oudns/oud-ds-rs-tls-cert
      service:
        # controller service external IP addresses
        # externalIPs:
        #   - < External IP Address >
        # To configure Ingress Controller Service as LoadBalancer type of Service
        # Based on the Kubernetes configuration, External LoadBalancer would be linked to the Ingress Controller Service
        type: LoadBalancer
        # Configuration for NodePort to be used for Ports exposed through Ingress
        # If NodePorts are not defied/configured, Node Port would be assigend automatically by Kubernetes
        # These NodePorts are helpful while accessing services directly through Ingress and without having External Load Balancer.
        nodePorts:
          # For HTTP Interface exposed through LoadBalancer/Ingress
          http: 30080
          # For HTTPS Interface exposed through LoadBalancer/Ingress
          https: 30443
          tcp:
            # For LDAP Interface
            1389: 31389
            # For LDAPS Interface
            1636: 31636

    Note:

    If you do not have an external load balancer configured for your Kubernetes configuration, change type: LoadBalancer to type: NodePort.
  2. To install and configure NGINX Ingress issue the following commands:
    cd $WORKDIR/kubernetes/helm14c/
    helm install --namespace <namespace> \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx
    Where:
    • lbr-nginx is your deployment name
    • stable/ingress-nginx is the chart reference
    For example:
    cd $WORKDIR/kubernetes/helm14c/
    helm install --namespace mynginxns \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx
    The output will look similar to the following:
    NAME: lbr-nginx
    LAST DEPLOYED: <DATE>
    NAMESPACE: mynginxns
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None
    NOTES:
    The ingress-nginx controller has been installed.
    It may take a few minutes for the LoadBalancer IP to be available.
    You can watch the status by running 'kubectl --namespace mynginxns get services -o wide -w lbr-nginx-ingress-nginx-controller'
    
    An example Ingress that makes use of the controller:
    
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
        annotations:
          kubernetes.io/ingress.class: nginx
        name: example
        namespace: foo
      spec:
        rules:
          - host: www.example.com
            http:
              paths:
                - backend:
                    serviceName: exampleService
                    servicePort: 80
                  path: /
        # This section is only required if TLS is to be enabled for the Ingress
        tls:
            - hosts:
                - www.example.com
              secretName: example-tls
    
    If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
    
      apiVersion: v1
      kind: Secret
      metadata:
        name: example-tls
        namespace: foo
      data:
        tls.crt: <base64 encoded cert>
        tls.key: <base64 encoded key>
      type: kubernetes.io/tls

Optional: Command Helm Upgrade to Update nginx-ingress

If required, an nginx-ingress deployment can be updated/upgraded with following command.

In this example, the ingress-nginx configuration is updated with an additional TCP port and Node Port for accessing the LDAP/LDAPS port of a specific pod:
  1. Create a nginx-ingress-values-override.yaml that contains the following:
    # Configuration for additional TCP ports to be exposed through Ingress
    # Format for each port would be like:
    # <PortNumber>: <Namespace>/<Service>
    tcp: 
      # Map 1389 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAP Port
      1389: oudns/oud-ds-rs-lbr-ldap:ldap
      # Map 1636 TCP port to LBR LDAP service to get requests handled through any available POD/Endpoint serving LDAPS Port
      1636: oudns/oud-ds-rs-lbr-ldap:ldaps
      # Map specific ports for LDAP and LDAPS communication from individual Services/Pods
      # To redirect requests on 3890 port to oudns/oud-ds-rs-ldap-0:ldap
      3890: oudns/oud-ds-rs-ldap-0:ldap
      # To redirect requests on 6360 port to oudns/oud-ds-rs-ldaps-0:ldap
      6360: oudns/oud-ds-rs-ldap-0:ldaps
      # To redirect requests on 3891 port to oudns/oud-ds-rs-ldap-1:ldap
      3891: oudns/oud-ds-rs-ldap-1:ldap
      # To redirect requests on 6361 port to oudns/oud-ds-rs-ldaps-1:ldap
      6361: oudns/oud-ds-rs-ldap-1:ldaps
      # To redirect requests on 3892 port to oudns/oud-ds-rs-ldap-2:ldap
      3892: oudns/oud-ds-rs-ldap-2:ldap
      # To redirect requests on 6362 port to oudns/oud-ds-rs-ldaps-2:ldap
      6362: oudns/oud-ds-rs-ldap-2:ldaps
      # Map 1444 TCP port to LBR Admin service to get requests handled through any available POD/Endpoint serving Admin LDAPS Port
      1444: oudns/oud-ds-rs-lbr-admin:adminldaps
      # To redirect requests on 4440 port to oudns/oud-ds-rs-0:adminldaps
      4440: oudns/oud-ds-rs-0:adminldaps
      # To redirect requests on 4441 port to oudns/oud-ds-rs-1:adminldaps
      4441: oudns/oud-ds-rs-1:adminldaps
      # To redirect requests on 4442 port to oudns/oud-ds-rs-2:adminldaps
      4442: oudns/oud-ds-rs-2:adminldaps
    controller:
      admissionWebhooks:
        enabled: false
      extraArgs:
        # The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server.
        # If this flag is not provided NGINX will use a self-signed certificate.
        # If the TLS Secret is in different namespace, name can be mentioned as <namespace>/<tlsSecretName>
        default-ssl-certificate: oudns/oud-ds-rs-tls-cert
      service:
        # controller service external IP addresses
        # externalIPs:
        #   - < External IP Address >
        # To configure Ingress Controller Service as LoadBalancer type of Service
        # Based on the Kubernetes configuration, External LoadBalancer would be linked to the Ingress Controller Service
        type: LoadBalancer
        # Configuration for NodePort to be used for Ports exposed through Ingress
        # If NodePorts are not defied/configured, Node Port would be assigend automatically by Kubernetes
        # These NodePorts are helpful while accessing services directly through Ingress and without having External Load Balancer.
        nodePorts:
          # For HTTP Interface exposed through LoadBalancer/Ingress
          http: 30080
          # For HTTPS Interface exposed through LoadBalancer/Ingress
          https: 30443
          tcp:
            # For LDAP Interface referring to LBR LDAP services serving LDAP port
            1389: 31389
            # For LDAPS Interface referring to LBR LDAP services serving LDAPS port
            1636: 31636
            # For LDAP Interface from specific service oud-ds-rs-ldap-0
            3890: 30890
            # For LDAPS Interface from specific service oud-ds-rs-ldap-0
            6360: 30360
            # For LDAP Interface from specific service oud-ds-rs-ldap-1
            3891: 30891
            # For LDAPS Interface from specific service oud-ds-rs-ldap-1
            6361: 30361
            # For LDAP Interface from specific service oud-ds-rs-ldap-2
            3892: 30892
            # For LDAPS Interface from specific service oud-ds-rs-ldap-2
            6362: 30362
            # For LDAPS Interface referring to LBR Admin services serving adminldaps port
            1444: 31444
            # For Admin LDAPS Interface from specific service oud-ds-rs-0
            4440: 30440
            # For Admin LDAPS Interface from specific service oud-ds-rs-1
            4441: 30441
            # For Admin LDAPS Interface from specific service oud-ds-rs-2
            4442: 30442
  2. Run the following command to upgrade the ingress:
    helm upgrade --namespace <namespace> \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx 
    Where:
    • lbr-nginx is your deployment name
    • stable/ingress-nginx is the chart reference
    For example:
    helm upgrade --namespace mynginxns \
    --values nginx-ingress-values-override.yaml \
    lbr-nginx stable/ingress-nginx