Illumina Innovates with Rancher and Kubernetes
By default, RKE deploys the NGINX ingress controller on all schedulable nodes.
Note: As of v0.1.8, only workers are considered schedulable nodes, but prior to v0.1.8, worker and controlplane nodes were considered schedulable nodes.
RKE will deploy the ingress controller as a DaemonSet with hostnetwork: true, so ports 80, and 443 will be opened on each node where the controller is deployed.
hostnetwork: true
80
443
The images used for ingress controller is under the system_images directive. For each Kubernetes version, there are default images associated with the ingress controller, but these can be overridden by changing the image tag in system_images.
system_images
If you only wanted ingress controllers to be deployed on specific nodes, you can set a node_selector for the ingress. The label in the node_selector would need to match the label on the nodes for the ingress controller to be deployed.
node_selector
nodes: - address: 1.1.1.1 role: [controlplane,worker,etcd] user: root labels: app: ingress ingress: provider: nginx node_selector: app: ingress
You can disable the default controller by specifying none to the ingress provider directive in the cluster configuration.
none
provider
ingress: provider: none
For the configuration of NGINX, there are configuration options available in Kubernetes. There are a list of options for the NGINX config map , command line extra_args and annotations.
ingress: provider: nginx options: map-hash-bucket-size: "128" ssl-protocols: SSLv2 extra_args: enable-ssl-passthrough: ""
When configuring an ingress object with TLS termination, you must provide it with a certificate used for encryption/decryption. Instead of explicitly defining a certificate each time you configure an ingress, you can set up a custom certificate that’s used by default.
Setting up a default certificate is especially helpful in environments where a wildcard certificate is used, as the certificate can be applied in multiple subdomains.
Prerequisites: Access to the cluster.yml used to create the cluster. The PEM encoded certificate you will use as the default certificate.
Prerequisites:
cluster.yml
Obtain or generate your certificate key pair in a PEM encoded form.
Generate a Kubernetes secret from your PEM encoded certificate with the following command, substituting your certificate for mycert.cert and mycert.key.
mycert.cert
mycert.key
kubectl -n ingress-nginx create secret tls ingress-default-cert --cert=mycert.cert --key=mycert.key -o yaml --dry-run=true > ingress-default-cert.yaml
Include the contents of ingress-default-cert.yml inline with your RKE cluster.yml file. For example:
ingress-default-cert.yml
addons: |- --- apiVersion: v1 data: tls.crt: [ENCODED CERT] tls.key: [ENCODED KEY] kind: Secret metadata: creationTimestamp: null name: ingress-default-cert namespace: ingress-nginx type: kubernetes.io/tls
Define your ingress resource with the following default-ssl-certificate argument, which references the secret we created earlier under extra_args in your cluster.yml:
default-ssl-certificate
extra_args
ingress: provider: "nginx" extra_args: default-ssl-certificate: "ingress-nginx/ingress-default-cert"
Optional: If you want to apply the default certificate to ingresses in a cluster that already exists, you must delete the NGINX ingress controller pods to have Kubernetes schedule new pods with the newly configured extra_args.
kubectl delete pod -l app=ingress-nginx -n ingress-nginx