Deploying and configuring the ingress controller for OpenShift or Kubernetes

The ingress controller is a load balancer for Kubernetes environments. Before deploying BMC Helix IT Operations Management, you must deploy and configure the ingress controller.

Related topic

Preparing-for-deployment

System-requirements

To deploy the ingress controller for Openshift

  1. Download the attached ingress-scc.yamlfile.

  1. Apply the ingress-scc.yaml file by using the following command:

    oc apply -f ingress-scc.yaml

  2. Get the deploy.yaml file by using the following command:

     wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml

    If you change the ingress configuration and decide not to use the attached deploy.yaml file, make sure that the INGRESS_CLASS value in the configs/infra.config file matches the class in your ingress definition.

  3. Update the deploy.yaml file to change the kind property of the ingress-nginx-controller from Deployment to DaemonSet.

  4. Apply the deploy.yaml file by using the following command:

    oc apply -f deploy.yaml

  5. Apply the Security Context Constraints (SCC) to service accounts by running the following commands in the order shown:

    oc adm policy add-scc-to-user ingress-scc -z default -n ingress-nginx
    oc adm policy add-scc-to-user ingress-scc -z ingress-nginx-admission -n ingress-nginx
    oc adm policy add-scc-to-user ingress-scc -z ingress-nginx -n ingress-nginx

  6. Create a secret from the trusted certificate and key. Depending on your cluster, run the following command:

    Important

    Ensure that the cert.pem file contains the full chain.

    oc create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx

  7. In the ingress-controller, under daemonset, edit the args section to set the default certificate to my-tls-secret:

    oc edit daemonset ingress-nginx-controller -n ingress-nginx
    ...
       spec:
          containers:
          - args:
            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
            - --default-ssl-certificate=ingress-nginx/my-tls-secret
    ...


  8. Configure the ingress controller. Perform the following steps:

    1. Identify the configmap name by running the following command:

      kubectl get cm -n <ingress_nginx_namespace>

    2. Change the configmap name to use the configmap in your environment by running the following command:

      kubectl edit cm <ingress_nginx_configmap> -n  <ingress_nginx_namespace>

      data:
        enable-underscores-in-headers: "true"
        proxy-body-size: 250m
        server-name-hash-bucket-size: "1024"
        ssl-redirect: "false"
        use-forwarded-headers: "true"
       worker-processes: "40"

      Important

      The configurations shown above are mandatory. Apart from these, you can retain any other configurations according to your requirement.

  9. Verify that the pods are running on each worker node.

  10. Verify the version of the ingress controller from one of the pods' logs by using the following command:

    oc logs ingress-nginx-controller-XXXXX | less

  11. Update the service ingress-nginx-controller and add load balancer IP as an external IP by using the following command:

    oc patch service/ingress-nginx-controller -n ingress-nginx -p '{"spec":{"externalIPs":["xxx.xxx.xxx.xxx"]}}'

    Here, xxx.xxx.xxx.xxx is the IP that the LB_HOST value resolves to.

  12. Update the load balancer settings to point to the correct ports of ingress-nginx-controller service. Check the ingress-nginx-controller service ports by using the following command:

    oc -n ingress-nginx get svc

    Example output:

    For example, you will see output like below:
    $ oc -n ingress-nginx get svc
    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    ingress-nginx-controller LoadBalancer 10.43.43.12 XXX.XXX.XXX.XXX 80:31764/TCP,443:31864/TCP 24h
    ingress-nginx-controller-admission ClusterIP 10.43.46.181 <none> 443/TCP 24h


To deploy the ingress controller for Rancher-based Kubernetes

  1. If you have the ingress-nginx namespace, delete it by running the following commands:

    kubectl delete ds -n ingress-nginx nginx-ingress-controller
    kubectl -n ingress-nginx delete svc ingress-nginx-controller-admission
    kubectl delete clusterrole ingress-nginx
    kubectl delete ClusterRoleBinding ingress-nginx
    kubectl delete IngressClass nginx
    kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission
    kubectl delete ns ingress-nginx

  2. Download the psp.yaml file from github by using the following command:

    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/psp/psp.yaml

  3. If you have the restricted-psp property enabled by default, apply the psp.yaml file by using the following command:

    kubectl apply -f psp.yaml

  4. Get the deploy.yaml file from github by using the following command:

    wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.0/deploy/static/provider/cloud/deploy.yaml

  5. In the deploy.yaml file, make the following change for the ingress-nginx-controller:

    Important

    The namespace for the ingress controller is ingress-nginx.

  6. Apply the deploy.yaml file by using the following command:

    kubectl apply -f deploy.yaml

  7. Create a secret with the certificate and key to be mounted on the ingress controller pods by using the following command:

    kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx

    Important

    Ensure that the cert.pem file has the full chain in it.

  8. Edit the daemonset as described below:
    1. Add the secret that you created in the args section.

    2. Run the following command:

      kubectl edit daemonset ingress-nginx-controller -n ingress-nginx

    3. In the output, set the ingress-class parameter according to your requirement:

      ...
         spec:
            containers:
            - args:
              - /nginx-ingress-controller
              - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
              - --election-id=ingress-controller-leader
              - --controller-class=k8s.io/ingress-nginx
              - --ingress-class=nginx
              - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
              - --validating-webhook=:8443
              - --validating-webhook-certificate=/usr/local/certificates/cert
              - --validating-webhook-key=/usr/local/certificates/key
              - --default-ssl-certificate=ingress-nginx/my-tls-secret
      ...

  9. Configure the ingress controller. Perform the following steps:

    1. Identify the configmap name by running the following command:

      kubectl get cm -n <ingress_nginx_namespace>

    2. Change the configmap name to use the configmap in your environment by running the following command:

      kubectl edit cm <ingress_nginx_configmap> -n  <ingress_nginx_namespace>

      data:
        enable-underscores-in-headers: "true"
        proxy-body-size: 250m
        server-name-hash-bucket-size: "1024"
        ssl-redirect: "false"
        use-forwarded-headers: "true"
       worker-processes: "40"

      Important

      The configurations shown above are mandatory. Apart from these, you can retain any other configurations according to your requirement.

  10. Verify that the pods are running on each worker node.

  11. Update the service ingress-nginx-controller and add load balancer IP as an external IP by using the following command:

    kubectl patch service/ingress-nginx-controller -n ingress-nginx -p '{"spec":{"externalIPs":["xxx.xx.xx.xxx"]}}'

    Here, xxx.xxx.xxx.xxx is the IP that the LB_HOST value resolves to.

  12. Update the load balancer settings to point to the correct ports of ingress-nginx-controller service. Check the ingress-nginx-controller service ports by using the following command:

    kubectl -n ingress-nginx get svc

    Example output:

    For example, you will see output like below:
    $ kubectl -n ingress-nginx get svc
    NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
    ingress-nginx-controller LoadBalancer 10.43.43.12 XXX.XXX.XXX.XXX 80:31764/TCP,443:31864/TCP 24h
    ingress-nginx-controller-admission ClusterIP 10.43.46.181 <none> 443/TCP 24h




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*