Deploying the ingress controller for OpenShift or Kubernetes
The ingress controller is a load balancer for Kubernetes environments.
Perform the following steps to install the ingress controller:
- Download controller-nginx-ingress-controller:nginx-0.32. You can download it by using the attached ingress.yaml file.
If you change the ingress configuration and decide not to use the attached ingress.yaml file, make sure that theINGRESS_CLASS
value in the configs/infra.config file matches the class in your ingress definition. Create a secret from the trusted certificate and key. Depending on your cluster, run the following command:
OpenShift:oc create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n default
Kubernetes:
kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n default
- In the ingress-controller, do the following
- In the
args
section, set the default certificate tomy-tls-secret
. - Set the ingress-class to
knginx.
- In the
- Ensure that you set the ingress class to knginx in the configs/infra.config file as shown below:
INGRESS_CLASS=knginx
(OpenShift) Create the Security Context Constraint (SCC). Run the following command;
oc create -f ingress-scc.yaml
Create a namespace and an ingress controller. Run the following commands in the given order:
OpenShift1- oc new-project internet-ingress 2- oc create -f ingress.yaml
Kubernetes
1- kuebctl create ns internet-ingress 2- kubectl create -f ingress.yaml
For OpenShift clusters, add the ADM policy. Run the following command:
oc adm policy add-scc-to-user ingress-scc -z internet-ingress-serviceaccount -n internet-ingress
- Update the DNS records in the infra.config file. All parameters in the infra.config file must have a valid DNS entry. The following entries are required for the ingress controller:
- TMS: Value of the
TMS_LB_HOST
parameter - RSSO: Value of the
LB_HOST
parameter - Tenant: Derived from
ENVIRONMENT
,TENANT_TYPE
, andDOMAIN
parameters - MinIO: Value of the
MINIO_LB_HOST
parameter - Self-observability: Derived from
ENVIRONMENT
,TENANT_TYPE
, andDOMAIN
$COMPANY_NAME-self-$TENANT_TYPE-$ENVIRONMENT$DOMAIN
- (Only for BMC Helix Operations Management) BMC Discovery Appliance: Derived from
ENVIRONMENT
,TENANT_TYPE
, andDOMAIN
parameters -$COMPANY_NAME-disc-$TENANT_TYPE-$ENVIRONMENT$DOMAIN
- (Only for BMC Helix Continuous Optimization) Derived from
ENVIRONMENT
,TENANT_TYPE
, andDOMAIN
$COMPANY_NAME-optimize-$TENANT_TYPE-$ENVIRONMENT$DOMAIN
For example: acme-optimize-private-poc.acme.com
For more information about the infra.config and deployment.config files, see Configuration file settings.
- TMS: Value of the
- Edit or patch the external load balancer IP addresses that computers outside your local network use to connect to identify your network.
In a Kubernetes environment, pods are used as nonpermanent resources whose IP addresses keep on changing. External IPs are required for the frontends to keep track of the pods.
For information about the external IP format, see the Kubernetes documentation .
Run the following command:OpenShift
oc edit svc internet-ingress -n internet-ingress
Kubernetes
kubectl edit svc internet-ingress -n internet-ingress
- Delete the ingress controller pods.
- Verify that the URL shows a secured connection.
- Configure the load balancer.
Add the ports for the following:- The load balancer input port (443)
- The load balancer output nodes, which are the worker nodes
The external ports for the load balancer output nodes. Obtain these nodes from the ingress controller. Use the following command, where port 31301 is configured that maps to the Kubernetes internal port 443:
>kubectl get service | head -1 NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE >kubectl get service -A | grep internet-ingress | grep LoadBalancer internet-ingress internet-ingress LoadBalancer 172.30.242.1 172.25.146.75 443:31391/TCP,80:30888/TCP 9d
Comments
Hello,
This file is only for OpenShift.
Thank you.
[root@helix-k8s-master01 tmp]# kubectl create -f ingress.yaml service/internet-ingress created deployment.apps/default-http-backend-internal-internal created service/default-http-backend-internal created configmap/internet-ingress-configuration created configmap/tcp-services created configmap/udp-services created serviceaccount/internet-ingress-serviceaccount created Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole clusterrole.rbac.authorization.k8s.io/internet-ingress-clusterrole created Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role role.rbac.authorization.k8s.io/internet-ingress-role created Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding rolebinding.rbac.authorization.k8s.io/internet-ingress-role-nisa-binding created Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding clusterrolebinding.rbac.authorization.k8s.io/internet-ingress-clusterrole-nisa-binding created error: error validating "ingress.yaml": error validating data: ValidationError(DaemonSet.spec): unknown field "replicas" in io.k8s.api.apps.v1.DaemonSetSpec; if you choose to ignore these errors, turn validation off with --validate=false [root@helix-k8s-master01 tmp]#
Hi documentation team. The content on this page between "The ingress controller is a load balancer for Kubernetes environments." and "13. Configure the load balancer" is repeated several times.
Thank you. This is fixed.
On step 7 under Kubernetes, command has a typo, should be kubectl, rather than kuebctl. Also, we are confused on Step 11, are you saying deploy the ingress controller, then delete the ingress controller pods? Can we get a bit more clarification on this step? is the ingress controller handled elsewhere?
Thank you. This is fixed.
The file in Step 2 has a different name and does not contain the modifications recommended in step (Deploying BMC Helix common services for BMC Helix IT Service Management - Documentation for BMC Helix IT Operations Management deployment 21.3 - BMC Documentation) Why is step 3 needed? - If you terminate the SSL at the LB it is not needed. (see also 12 and 13) Step 11 - You delete the pods, because you can not restart them to use the new configuration.
Hello,
We have updated the documentation. Please let us know if you have more questions.
Thank you.
In the last step the port is wrong based on the example it should be 31391 not 31301
This is fixed.
In step 8, I think the command should start with "oc adm policy ". The command should be "oc adm policy add-scc-to-user ingress-scc -z internet-ingress-serviceaccount -n internet-ingress"
You are right, Simone, except for that it is step 7 (not 8). BMC, please correct.
Thank you for the comments. This is now corrected.
The attached ingress.yaml file contains annotations for aws ? I assume they should be removed/modified?
https://docs.bmc.com/docs/display/brid21304/System+requirements documents further requirements for ingress. It would be nice if these were included in configmap in yaml file.
Hello,
If your system does not use AWS, the AWS annotations will be ignored.
Thank you.
Log in or register to comment.