Deploying Nginx Plus Ingress Controller

NGINX Ingress Controller with App. Protect support will used as ingress controller in our k3s environment.

You need a local registry setup and running.

Note

This already installed in your lab deployment.

About NGINX Private Registry Access

You will need valid NGINX private registry SSL certificate and private key to be able to access NGINX Plus software images.

To obtain required files, log in to MyF5 Customer Portal and download your trial SSL certificate & private key.

_images/download-certs.png

Downloade the SSL certificate & private key and save it in APP node as nginx-repo.crt and nginx-repo.key file inside /home/ubuntu/setup directory.

Deployment Script

The script summarize following install steps:

  1. Pull images from NGINX private repo and push them to our local-registry

  2. Clone kubernetes-ingress from NGINX Git repository

  3. Deploy the manifests (namespace, service account, RBAC, CRDs)

  4. Patching service account imagePullSecrets

  5. Update image name & enable app-protect in daemon-set/nginx-plus-ingress.yaml file

  6. Deploy the ingress controller & create the service

/home/ubuntu/setup/nic.sh deployment script

 1#!/bin/bash
 2#
 3# NGINX Plus Ingress Controller install script
 4#
 5
 6if [[ -f "nginx-repo.crt" && -f "nginx-repo.key" ]]; then
 7  sudo mkdir /etc/docker/certs.d/private-registry.nginx.com
 8  sudo cp nginx-repo.crt /etc/docker/certs.d/private-registry.nginx.com/client.cert
 9  sudo cp nginx-repo.key /etc/docker/certs.d/private-registry.nginx.com/client.key
10
11  # pulling nginx ingress image to local registry
12  docker pull private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:3.2.0
13  docker tag private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:3.2.0 local-registry:5000/nginx-ic-nap/nginx-plus-ingress:3.2.0
14  docker push local-registry:5000/nginx-ic-nap/nginx-plus-ingress:3.2.0
15
16  git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.2.0
17
18  cd kubernetes-ingress/deployments
19
20  kubectl apply -f common/ns-and-sa.yaml
21
22  # create RBAC
23  kubectl apply -f rbac/rbac.yaml
24  kubectl apply -f rbac/ap-rbac.yaml
25  kubectl apply -f ../examples/shared-examples/default-server-secret/default-server-secret.yaml
26  kubectl apply -f common/nginx-config.yaml
27  kubectl apply -f common/ingress-class.yaml
28
29  # create CRDs
30  kubectl apply -f common/crds/k8s.nginx.org_virtualservers.yaml
31  kubectl apply -f common/crds/k8s.nginx.org_virtualserverroutes.yaml
32  kubectl apply -f common/crds/k8s.nginx.org_transportservers.yaml
33  kubectl apply -f common/crds/k8s.nginx.org_policies.yaml
34  kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
35  kubectl apply -f common/crds/appprotect.f5.com_aplogconfs.yaml
36  kubectl apply -f common/crds/appprotect.f5.com_appolicies.yaml
37  kubectl apply -f common/crds/appprotect.f5.com_apusersigs.yaml
38
39  # patching service account
40  kubectl patch serviceaccount nginx-ingress -n nginx-ingress -p '{"imagePullSecrets": [{"name": "local-registry-cred"}]}'
41
42  # update image
43  sed -i 's/image: nginx-plus-ingress:3.2.0/image: local-registry:5000\/nginx-ic-nap\/nginx-plus-ingress:3.2.0/g' daemon-set/nginx-plus-ingress.yaml
44
45  # enable app protect
46  sed -i 's/#- -enable-app-protect$/\ - -enable-app-protect/g' daemon-set/nginx-plus-ingress.yaml
47
48  # deploy ingress
49  kubectl apply -f daemon-set/nginx-plus-ingress.yaml
50
51  # KIC service
52  kubectl apply -f service/nodeport.yaml
53else
54  echo "Required nginx-repo.crt and/or nginx-repo.key files not found"
55fi

Now, let’s execute the script, but make sure you’re in APP node and on /home/ubuntu/setup working directory:

$ bash nic.sh

Verify The Result

After script execution finished, let’s verify the deployment:

$ kubectl -n nginx-ingress get all -o wide
NAME                      READY   STATUS    RESTARTS        AGE   IP           NODE   NOMINATED NODE   READINESS GATES
pod/nginx-ingress-p9jx6   1/1     Running   6 (3h25m ago)   38h   10.42.0.47   app    <none>           <none>

NAME                    TYPE       CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE   SELECTOR
service/nginx-ingress   NodePort   10.43.181.81   <none>        80:32160/TCP,443:32691/TCP   38h   app=nginx-ingress

NAME                           DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE   CONTAINERS           IMAGES                                                      SELECTOR
daemonset.apps/nginx-ingress   1         1         1       1            1           <none>          38h   nginx-plus-ingress   local-registry:5000/nginx-ic-nap/nginx-plus-ingress:3.2.0   app=nginx-ingress

As you can see, the pod is running, service & daemonset are defined.

At this point, the ingress controller is ready to use.