A git repo with Oracle Cloud Infrastructure recipes, tips and tricks.
This project is maintained by luisw19
The steps described in this page are based on this OCI page
1) Switch to default context.
First determine the name of the default context, run:
kubectl config view
Then take note of the name, user and cluster values under section ”- contexts”. The run the following command to switch to it.
kubectl config use-context context-c3wczrxmftd
2) Grant the Kubernetes RBAC cluster-admin clusterrole to a OCI user based on the user’s Oracle Cloud Identifier (OCID).
To obtain the OICD open the OCI Console and from there click on the menu option Identity > Users. Then click on show under the username and take note of the OID.
kubectl create clusterrolebinding sttc_admin --clusterrole=cluster-admin --user=ocid1.user.oc1..aaaaaaaazhciwyt5kooopvnovupyao7v7a73imsvxoqrb2omojbcvcxpgvrq
3) Create the NGINX ingress controller along with the Kubernetes RBAC roles and bindings:
First get the latest manifest file:
curl -O https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/mandatory.yaml
Then create the RBAC roles and Nginx ingress controller by running:
kubectl create -f mandatory.yaml
4) Now that the NGINX ingress controller has been created, run the following command to apply a Load Balancer service.
kubectl apply -f cloud-generic.yaml
kubectl get svc -n ingress-nginx
Repeat the above process until an EXTERNAL-IP is assigned. Note that this may take a few seconds as the controller is basically creating an OCI load balancer also visible from the OCI console itself under Networking > Load Balancers.
kubectl delete -n ingress-nginx configmap nginx-configuration
kubectl delete -n ingress-nginx configmap tcp-services
kubectl delete -n ingress-nginx configmap udp-services
kubectl delete -n ingress-nginx serviceaccount nginx-ingress-serviceaccount
kubectl delete -n default clusterrole nginx-ingress-clusterrole
kubectl delete -n ingress-nginx role nginx-ingress-role
kubectl delete -n ingress-nginx rolebinding nginx-ingress-role-nisa-binding
kubectl delete -n default clusterrolebinding nginx-ingress-clusterrole-nisa-binding
kubectl delete -n ingress-nginx deployment nginx-ingress-controller
kubectl delete -n ingress-nginx service nginx-ingress-controller
5) Now that the ingress is installed we can create deploy a sample and then create an ingress.
As in the sample we also implement TLS security therefore the first step is to crate the certificates.
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out httpbin.sample.crt -keyout httpbin.sample.key
When prompted enter further details as desired, for example:
Country Name (2 letter code) []:GB
State or Province Name (full name) []:Warwickshire
Locality Name (eg, city) []:Leamington
Organization Name (eg, company) []:HTTPBIN
Organizational Unit Name (eg, section) []:Sample
Common Name (eg, fully qualified host name) []:httpbin.sample
Email Address []:me@httpbin.sample
Once completed this should generate httpbin.sample.key and httpbin.sample.crt.
note that in the below example we’re creating a target namespace called orders-ms
kubectl create namespace httpbin-nginx
kubectl config set-context httpbin-nginx --user=user-c3wczrxmftd --cluster=cluster-c3wczrxmftd --namespace=httpbin-nginx
kubectl config use-context httpbin-nginx
Then run create the secret on the target name space:
kubectl create secret tls httpbin-secret --key httpbin.sample.key --cert httpbin.sample.crt
First get the latest manifest file:
curl -O https://raw.githubusercontent.com/istio/istio/release-1.0/samples/httpbin/httpbin.yaml
Then apply the manifest:
kubectl apply -f httpbin.yaml
Verify that pods were created:
kubectl get pods
kubectl create -f httpbin-ingress.yaml
export INGRESS_HOST=$(kubectl -n ingress-nginx get service ingress-nginx -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
export INGRESS_PORT=$(kubectl -n ingress-nginx get service ingress-nginx -o jsonpath='{.spec.ports[?(@.name=="http")].port}')
export SECURE_INGRESS_PORT=$(kubectl -n ingress-nginx get service ingress-nginx -o jsonpath='{.spec.ports[?(@.name=="https")].port}')
Check that the env variables were set correctly:
echo $INGRESS_HOST $INGRESS_PORT $SECURE_INGRESS_PORT
Then make a simple test to verify that the ingress works for HTTP traffic:
As the certificate was created against domain httpbin.sample and the service also expects this domain then we need to inform curl to resolve $INGRESS_HOST against this domain.
curl -I -HHost:httpbin.sample \
--resolve httpbin.sample:$INGRESS_PORT:$INGRESS_HOST \
http://httpbin.sample:$INGRESS_PORT/headers
If successful result should be a HTTP/1.1 200 OK
Now using HTTPS:
curl -I --insecure \
-HHost:httpbin.sample \
--resolve httpbin.sample:$SECURE_INGRESS_PORT:$INGRESS_HOST \
https://httpbin.sample:$SECURE_INGRESS_PORT/headers
Result should be a HTTP/2 200
kubectl delete namespace httpbin-nginx
#### Following a tip to troubleshoot the configuration by inspecting the Nginx config:
First find the ingress controller pod:
kubectl get pod -n ingress-nginx
Then use the pod to kubectl exec into it:
kubectl -n ingress-nginx exec -it nginx-ingress-controller-56c5c48c4d-fstg5 -- cat /etc/nginx/nginx.conf > nginx.output