Space banner

   

This documentation supports an earlier version of BMC Helix IT Operations Management on-premises deployment.

To view the documentation for the latest version, select 22.4 from the Product version picker.

Deploying the ingress controller for OpenShift or Kubernetes

The ingress controller is a load balancer for Kubernetes environments

To deploy the ingress controller for Openshift

  1. Download the attached ingress-scc.yaml file.
  2. Apply the ingress-scc.yaml file by using the following command:

    oc apply -f ingress-scc.yaml
  3. Get the deploy.yaml file by using the following command:

     wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/cloud/deploy.yaml

    If you change the ingress configuration and decide not to use the attached deploy.yaml file, make sure that the INGRESS_CLASS value in the configs/infra.config file matches the class in your ingress definition.

  4. Update the deploy.yaml file to change the kind property of the ingress-nginx-controller from Deployment to DaemonSet.
  5. Apply the deploy.yaml file by using the following command:

    oc apply -f deploy.yaml
  6. Apply the Security Context Constraints (SCC) to service accounts by running the following commands in the order shown:

    oc adm policy add-scc-to-user ingress-scc -z default -n ingress-nginx
    oc adm policy add-scc-to-user ingress-scc -z ingress-nginx-admission -n ingress-nginx
    oc adm policy add-scc-to-user ingress-scc -z ingress-nginx -n ingress-nginx
  7. Create a secret from the trusted certificate and key. Depending on your cluster, run the following command:

    Note

    Ensure that the cert.pem file contains the full chain.

    oc create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx
  8. In the ingress-controller, under daemonset, edit the args section to set the default certificate to my-tls-secret:

    oc edit daemonset ingress-nginx-controller -n ingress-nginx
    ...
        spec:
          containers:
          - args:
            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
            - --default-ssl-certificate=ingress-nginx/my-tls-secret
    ...



  9. Configure the ingress controller.

    1. Identify the configmap name by running the following command:

      kubectl get all -n <ingress_nginx_namespace>
    2. Change the configmap name to use the configmap in your environment by running the following command:

      kubectl edit cm <ingress_nginx_configmap> -n  <ingress_nginx_namespace>
      
      data:
        enable-underscores-in-headers: "true"
        proxy-body-size: 250m
        server-name-hash-bucket-size: "1024"
        ssl-redirect: "false"
        use-forwarded-headers: "true"
  10. Verify that the pods are running on each worker node.
  11. Verify the version of the ingress controller from one of the pods' logs by using the following command:}

    oc logs ingress-nginx-controller-XXXXX | less
  12. Update the service ingress-nginx-controller and add load balancer IP as an external IP by using the following command:

    oc patch service/ingress-nginx-controller -n ingress-nginx -p '{"spec":{"externalIPs":["xxx.xxx.xxx.xxx"]}}'
  13. Update the load balancer settings to point to the correct ports of ingress-nginx-controller service. Check the ingress-nginx-controller service ports by using the following command:

    oc -n ingress-nginx get svc

    Example output:

    For example, you will see output like below:
    $ oc -n ingress-nginx get svc
    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    ingress-nginx-controller LoadBalancer 10.43.43.12 XXX.XXX.XXX.XXX 80:31764/TCP,443:31864/TCP 24h
    ingress-nginx-controller-admission ClusterIP 10.43.46.181 <none> 443/TCP 24h


To deploy the ingress controller for Rancher-based Kubernetes

  1. If you have the ingress-nginx namespace, delete it by running the following commands:

    kubectl delete ds -n ingress-nginx nginx-ingress-controller
    kubectl -n ingress-nginx delete svc ingress-nginx-controller-admission
    kubectl delete clusterrole ingress-nginx
    kubectl delete ClusterRoleBinding ingress-nginx
    kubectl delete IngressClass nginx
    kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission
    kubectl delete ns ingress-nginx
  2. Download the psp.yaml file from github by using the following command:

    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml
  3. If you have the restricted-psp property enabled by default, apply the psp.yaml file by using the following command:

    kubectl apply -f psp.yaml
  4. Get the deploy.yaml file from github by using the following command:

    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.2.0/deploy/static/provider/cloud/deploy.yaml
  5. In the deploy.yaml file, make the following change for the ingress-nginx-controller:

    Parameter nameChange fromChange to
    kindDeploymentDaemonSet

    Note

    The namespace for the ingress controller is ingress-nginx.

  6. Apply the deploy.yaml file by using the following command:

    kubectl apply -f deploy.yaml
  7. Create a secret with the certificate and key to be mounted on the ingress controller pods by using the following command:

    kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx

    Important

    Ensure that the cert.pem file has the full chain in it.


  8. Edit the daemonset as described below:
    1. Add the secret that you created in the args section.
    2. Run the following command:

      kubectl edit daemonset ingress-nginx-controller -n ingress-nginx
    3. In the output, set the ingress-class parameter according to your requirement:

      ...
          spec:
            containers:
            - args:
              - /nginx-ingress-controller
              - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
              - --election-id=ingress-controller-leader
              - --controller-class=k8s.io/ingress-nginx
              - --ingress-class=nginx
              - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
              - --validating-webhook=:8443
              - --validating-webhook-certificate=/usr/local/certificates/cert
              - --validating-webhook-key=/usr/local/certificates/key
              - --default-ssl-certificate=ingress-nginx/my-tls-secret
      ...


  9. Configure the ingress controller.

    1. Identify the configmap name by running the following command:

      kubectl get all -n <ingress_nginx_namespace>
    2. Change the configmap name to use the configmap in your environment by running the following command:

      kubectl edit cm <ingress_nginx_configmap> -n  <ingress_nginx_namespace>
      
      data:
        enable-underscores-in-headers: "true"
        proxy-body-size: 250m
        server-name-hash-bucket-size: "1024"
        ssl-redirect: "false"
        use-forwarded-headers: "true"
  10. Verify that the pods are running on each worker node.
  11. Update the service ingress-nginx-controller and add load balancer IP as an external IP by using the following command:

    kubectl patch service/ingress-nginx-controller -n ingress-nginx -p '{"spec":{"externalIPs":["xxx.xx.xx.xxx"]}}'
  12. Update the load balancer settings to point to the correct ports of ingress-nginx-controller service. Check the ingress-nginx-controller service ports by using the following command:

    kubectl -n ingress-nginx get svc

    Example output:

    For example, you will see output like below:
    $ kubectl -n ingress-nginx get svc
    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    ingress-nginx-controller LoadBalancer 10.43.43.12 XXX.XXX.XXX.XXX 80:31764/TCP,443:31864/TCP 24h
    ingress-nginx-controller-admission ClusterIP 10.43.46.181 <none> 443/TCP 24h




Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Dima Seliverstov
        - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
    

    I don't believe these should be set in the Step 8. https://medium.com/swlh/kubernetes-validating-webhook-implementation-60f3352b66a#:~:text=So%2C%20what%20is%20a%20validating,and%20persisted%20to%20the%20datastore.

    Sep 23, 2022 03:02
    1. Mukta Kirloskar
      Feb 24, 2023 05:34
  2. John O'Toole

    Can we make step 8 something which can be copied and pasted like all the rest?

    Sep 27, 2022 10:47
  3. John O'Toole

    Step 2 seems to have the wrong file name compared to that downloaded in step 1.

    ingress.yaml Vs ingress-scc.yaml

    Sep 27, 2022 10:48
  4. Frank Thomae

    In step 5 for the ingress controller for Rancher-based Kubernetes, shouldn't it be "DaemonSet" instead of "Daemonset"?

    Jan 25, 2023 09:30
  5. Jã¼rgen Dannerbauer

    The referred deploy.yaml is from service type Load Balancer. Shouldn't there be a difference in deployment between cloud-provider and onPrem deployments (without external load balancer integration) - wouldn't there NodePort be better?

    Apr 14, 2023 03:53
    1. Ashwini Sawanth

      Hi Juergen,

      We are checking for the details and will get back to you soon.

      Regards,

      Ashwini Sawanth

      Apr 15, 2023 12:21
  6. Ganesh Gore

    Hi Juergen, You may use following baremetal deploy.yaml which has the NodePort service. https://github.com/kubernetes/ingress-nginx/blob/controller-v1.2.0/deploy/static/provider/baremetal/deploy.yaml

    If you are using above deploy.yaml, then you should skip the patching of ingress-nginx-controller service with external IP, as this deploy.yaml is using nodeport service.

    -- Ganesh

    May 18, 2023 02:13