We Keep Coding

How to access an application/container from dns/hostname in k8s?

I have a k8s cluster where I deploy some containers.
The cluster is accessible at microk8s.hostname.internal.
At this moment I have an application/container deployed that is accessible here: microk8s.hostname.internal/myapplication with the help of a service and an ingress.
And this works great.
Now I would like to deploy another application/container but I would like it accessible like this: otherapplication.microk8s.hostname.internal.
How do I do this?
Currently installed addons in microk8s:
aasa#bolsrv0891:/snap/bin$ microk8s status
microk8s is running
high-availability: no
addons:
enabled:
dashboard # (core) The Kubernetes dashboard
dns # (core) CoreDNS
helm # (core) Helm - the package manager for Kubernetes
helm3 # (core) Helm 3 - the package manager for Kubernetes
ingress # (core) Ingress controller for external access
metrics-server # (core) K8s Metrics Server for API access to service metrics
Update 1:
If I portforward to my service it works.
I have tried this ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: minimal-ingress
namespace: jupyter-notebook
annotations:
kubernetes.io/ingress.class: public
spec:
rules:
- host: jupyter.microk8s.hostname.internal
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jupyter-service
port:
number: 7070
But I cant access it nor ping it. Chrome says:
jupyter.microk8s.hostname.internal’s server IP address could not be found.
My service looks like this:
apiVersion: v1
kind: Service
metadata:
name: jupyter-service
namespace: jupyter-notebook
spec:
ports:
- name: 7070-8888
port: 7070
protocol: TCP
targetPort: 8888
selector:
app: jupyternotebook
type: ClusterIP
status:
loadBalancer: {}
I can of course ping microk8s.hostname.internal.
Update 2:
The ingress that is working today that has a context path: microk8s.boliden.internal/myapplication looks like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: public
nginx.ingress.kubernetes.io/rewrite-target: /$1
name: jupyter-ingress
namespace: jupyter-notebook
spec:
rules:
- http:
paths:
- path: "/jupyter-notebook/?(.*)"
pathType: Prefix
backend:
service:
name: jupyter-service
port:
number: 7070
This is accessible externally by accessing microk8s.hostname.internal/jupyter-notebook.

To do this you would have to configure a kube service, kube ingress and the configure your DNS.
Adding an entry into the hosts file would allow DNS resolution to otherapplication.microk8s.hostname.internal
You could use dnsmasq to allow for wildcard resolution e.g. *.microk8s.hostname.internal
You can test the dns reoslution using nslookup or dig

You can copy the same ingress and update name of it and Host inside it, that's all change you need.
For ref:
kind: Ingress
metadata:
name: second-ingress <<- make sure to update name else it will overwrite if the same
spec:
rules:
- host: otherapplication.microk8s.hostname.internal
http:
paths:
- path: /
backend:
serviceName: service-name
servicePort: service-port
You can create the subdomain with ingress just update the Host in ingress and add the necessary serviceName and servicePort to route traffic to specific service.
Feel free to append the necessary fields, and annotation if any to the above ingress from the existing ingress which is working for you.
If you are running it locally you might have to map the IP to the subdomain locally in /etc/hosts file
/etc/hosts
otherapplication.microk8s.hostname.internal <IP address>

ERR_CONNECTION_TIMED_OUT kubernetes minikube service

I am getting ERR_CONNECTION_TIMED_OUT when trying to access minikube service in localhost.
apiVersion: apps/v1
kind: Deployment
metadata:
name: identityserver
spec:
selector:
matchLabels:
app: identityserver
template:
metadata:
labels:
app: identityserver
spec:
containers:
- name: identityserver
image: identityserver:0
ports:
- containerPort: 5001
imagePullPolicy: "Never"
I have created service as following.
apiVersion: v1
kind: Service
metadata:
name: identityserver
spec:
type: NodePort
selector:
app: identityserver
ports:
- port: 5001
nodePort: 30002
I am trying to load in my local browser using following command. But it is not getting accessible in localhost. Internal kubernetes apps are able to communicate with service but not externally.
minikube service identityserver
I tried making type as clusterip and then it worked with port forwarding and only nodeport is having issue accessing.
kubectl port-forward service/identityserver 18080:5001 --address 0.0.0.0

This seems to be an issue with the Docker driver. I was able to run this with VirtualBox driver.
So I just had to start using VirtualBox driver (Even though virtualization was enabled in my machine it was giving an error. so had to append the --no-vtx-check flag, you can skip that if not facing an error without that flag)
minikube start --driver=virtualbox --no-vtx-check

There are several ways of trying minikube on Windows + docker:
Docker Desktop app (with Enable Kubernetes option)
Docker Desktop app (without enabling Kubernetes option) and installing minikube to wsl2
No Docker Desktop at all, installing docker and minikube in wsl2
Let's test it with the link you gave in comments - Set up Ingress on Minikube with the NGINX Ingress Controller.
Docker Desktop v.20.10.12 (with Enable Kubernetes option v.1.22.5), Win10, wsl2 backend.
Enable Kubernetes in Docker Desktop.
Check if ingress-controller is installed:
$ kubectl get pods -n ingress-nginx
The output should be similar to:
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-g9g49 0/1 Completed 0 11m
ingress-nginx-admission-patch-rqp78 0/1 Completed 1 11m
ingress-nginx-controller-59b45fb494-26npt 1/1 Running 0 11m
Create a Deployment using the following command:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0
Expose the Deployment:
kubectl expose deployment web --type=NodePort --port=8080
Create example-ingress.yaml from the following file:
$ kubectl apply -f example-ingress.yaml
$ cat example-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
ingressClassName: nginx # this line is essential!
rules:
- host: hello-world.info
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
Verify the IP address is set:
NAME CLASS HOSTS ADDRESS PORTS AGE
example-ingress <none> hello-world.info localhost 80 38s
Add the following line to the bottom of the C:\Windows\System32\drivers\etc\hosts file on your computer (you will need administrator access):
127.0.0.1 hello-world.info
DONE. Open hello-world.info in a browser.
How to access the NodePort service? In C:\Windows\System32\drivers\etc\hosts find these lines:
# Added by Docker Desktop
192.168.1.179 host.docker.internal
192.168.1.179 gateway.docker.internal
Use this IP and node port: curl 192.168.1.179:portNumber

Why these ingress rules don't expose a service to outside? (NET::ERR_CERT_AUTHORITY_INVALID/ERR_TOO_MANY_REDIRECTS)

I'm trying to setup and expose a service (ArgoCD) to outside a cluster. Note: I'm fairly new to Kubernetes, so quite probably I have some misconceptions. If you can see one, please help me get rid of it. If more information is needed to diagnose what's happening, please let me know, I'll add it.
I have nginx-ingress ingress controller installed in the cluster in the namespace nginx. I have installed ArgoCD via helm into argocd namespace*. kubectl get service -n argocd shows (omitting AGE column):
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
projectname-argocd-application-controller ClusterIP 10.100.249.133 <none> 8082/TCP
projectname-argocd-dex-server ClusterIP 10.100.80.187 <none> 5556/TCP,5557/TCP
projectname-argocd-redis ClusterIP 10.100.230.170 <none> 6379/TCP
projectname-argocd-repo-server ClusterIP 10.100.221.87 <none> 8081/TCP
projectname-argocd-server ClusterIP 10.100.22.26 <none> 80/TCP,443/TCP
As far as I understand, service projectname-argocd-server is the one I should expose to get ArgoCD WebUI. Trying to do so, I've created an ingress (based on docs):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-routing
spec:
rules:
- host: test2.projectname.org
http:
paths:
- path: /
pathType: Prefix # presumably may comment this out
backend:
service:
name: projectname-argocd-server
port:
number: 80
# this was added later while trying to figure the problem out
defaultBackend:
service:
name: projectname-argocd-server
port:
number: 80
ingressClassName: nginx
and applied it via kubectl apply -f routing.yaml -n argocd. Now I can see the ingress is created along with the one created by deployment of ArgoCD, and the output of kubectl get ing -A is (omitting AGE, and PORTS that are 80; <url> is url of LoadBalancer shown in AWS console):
NAMESPACE NAME CLASS HOSTS ADDRESS
argocd projectname-argocd-server nginx test.projectname.org <url>
argocd ingress-routing nginx test2.projectname.org <url>
By the way, kubectl get svc -n nginx shows that nginx-ingress-ingress-nginx-controller is LoadBalancer with url <url> (80:30538/TCP).
kubectl describe ingress -n argocd shows that ingress ingress-routing is ok, with correct address, default backend and rules; for ingress projectname-argocd-server it shows ok address and rules (path /), although Default backend is shown as default-http-backend:80 (<error: endpoints "default-http-backend" not found>).
Now let me also show the DNS settings to complete the picture:
I've created a hosted zone for projectname.org (in Route 53), put its DNS servers to NS-entries of domain register
I've created a CNAME entry in the hosted zone, pointing test.projectname.org to <url>
I've created an A entry for test2.projectname.org, selected the load balancer from the list and so it points to dualstack.<url>
I expected to see ArgoCD interface at least at one of http://test.projectname.org/ and http://test2.projectname.org/. What actually happens is:
when I open http://test.projectname.org/, it redirects me to https url and shows NET::ERR_CERT_AUTHORITY_INVALID. If I insist on visiting, browser shows ERR_TOO_MANY_REDIRECTS.
Before I added ingress class and moved ingress-routing from nginx namespace to argocd namespace, http://test2.projectname.org/ gave me 404; now it also redirects to https and then gives ERR_TOO_MANY_REDIRECTS
I've also checked the /healthz addresses but they give the same result as the / ones. (in contrast, http://<url>/healthz gives an empty page)
My question is: what else am I missing, why I don't get the UI?
Is it impossible to expose a service before setting some SSL certificate? Can 2 ingresses conflict when trying to expose the same thing on different subdomains (test.projectname.org and test2.projectname.org)? Can I see at least one service (ArgoCD) without using projectname.org to check if it is configured and deployed properly? (to separate if it's an ingress/routing/dns issue or a configuration issue)
(*) Here's the chart that I used to install ArgoCD:
apiVersion: v2
name: argo-cd
appVersion: v2.1.5
description: A declarative, GitOps continuous delivery tool for Kubernetes
version: 3.26.3
dependencies:
- name: argo-cd
version: 3.26.3
repository: https://argoproj.github.io/argo-helm
and values-overwrite.yaml that I've used is just default values wrapped into argo-cd: thing since these should be applied to the dependency. Notably, those have enabled: false in ingress:, so the fact that ingress projectname-argocd-server is created is somewhat unexpected.
PS the nginx IngressClass was generated, not created manually, so it may be useful to see it as well (I've substituted ids and timestamps with "..."), as shown by kubectl get IngressClass nginx -o yaml:
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress
meta.helm.sh/release-namespace: nginx
creationTimestamp: ...
generation: 1
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/version: 1.0.3
helm.sh/chart: ingress-nginx-4.0.5
name: nginx
resourceVersion: "5750"
uid: ...
spec:
controller: k8s.io/ingress-nginx

Right, the issue was somewhat complicated, but I've figured it out. Basically, it consists of 2 problems:
https configuration and
ingress configuration
The main problem about https configuration was solved in a separate question and is reduced to switching ACME server from staging to production. I've provided more details it in my answer.
Now, the ingress configuration is somewhat tricky since ArgoCD has some redirections, ~inner TLS requirements~, and also serves more than one protocol at :443. Fortunately, I've found this tutorial which shows ssl-passthrough settings, more ingress annotations, including nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" which fixes the ERR_TOO_MANY_REDIRECTS error. Here's my ingress config which works fine with https set up (note also changes in port and tls secret):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-argocd-routing
namespace: argocd
annotations:
cert-manager.io/cluster-issuer: <cluster issuer name>
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- test2.projectname.org # switched to argocd. later
secretName: argocd-secret # do not change, this is provided by Argo CD
rules:
- host: test2.projectname.org # switched to argocd. later
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: projectname-argocd-server
port:
number: 443

Access service in remote Kubernetes cluster using ingress

I'm attempting to access a service in an existing kubernetes cluster deployed in a remote machine. I've configured the cluster to be accessible through kubectl from my local mac.
$ kubectl cluster-info
Kubernetes master is running at https://192.168.58.114:6443
KubeDNS is running at https://192.168.58.114:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
The ingress configuration for the service I want to connect is:
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: gw-ingress
namespace: vick-system
selfLink: /apis/extensions/v1beta1/namespaces/vick-system/ingresses/gw-ingress
uid: 52b62da6-01c1-11e9-9f59-fa163eb296d8
resourceVersion: '2695'
generation: 1
creationTimestamp: '2018-12-17T06:02:23Z'
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/affinity":"cookie","nginx.ingress.kubernetes.io/session-cookie-hash":"sha1","nginx.ingress.kubernetes.io/session-cookie-name":"route"},"name":"gw-ingress","namespace":"vick-system"},"spec":{"rules":[{"host":"wso2-apim-gateway","http":{"paths":[{"backend":{"serviceName":"gateway","servicePort":8280},"path":"/"}]}}],"tls":[{"hosts":["wso2-apim-gateway"]}]}}
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/affinity: cookie
nginx.ingress.kubernetes.io/session-cookie-hash: sha1
nginx.ingress.kubernetes.io/session-cookie-name: route
spec:
tls:
- hosts:
- wso2-apim-gateway
rules:
- host: wso2-apim-gateway
http:
paths:
- path: /
backend:
serviceName: gateway
servicePort: 8280
status:
loadBalancer:
ingress:
- ip: 172.17.17.100
My list of services are:
My /etc/hosts file looks like below:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
172.17.17.100 wso2-apim-gateway wso2-apim wso2sp-dashboard
What is the URL I should use to access this service from my local browser? Should I do any more configurations?

The easiest way to access this would be a port-forward, which requires no modification of your hosts file.
kubectl -n vick-system port-forward svc/wso2sp-dashboard 9643
This will allow you to browse to http://localhost:9643 and access that service.
Please note, the svc/name syntax is only supported in kubectl >= 1.10

kubernetes: access Ingress within a Pod

I have an Ingress object set up to route traffic to the appropriate Service based on the Url path. I would like to access/expose this Ingress object within another Pod. I'm wondering if this is possible?
I tried to set up a Service on the Ingress but that didn't seem to work.

So, for whatever reason (ssr, lots of microservices, etc) you want to access k8s resources using their ingress path mapping, instead of calling each service by its internal name.
For example, you have an ingress config like that:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-service
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: 'true'
spec:
rules:
- host: example.com
http:
paths:
- path: /api/users/?(.*)
backend:
serviceName: auth-service
servicePort: 80
- path: /api/cart/?(.*)
backend:
serviceName: cart-service
servicePort: 80
and you want to access auth-service using http://example.com/api/auth instead of http://auth-service.
All you have to do is replace domain part (example.com in our case) with ingress service url. It depends on your configuration and environment, but usually it looks like http://[SERVICE_NAME].[NAMESPACE], for example:
GCP - http://ingress-nginx-controller.ingress-nginx
Helm ingress nginx - http://my-release-ingress-nginx-controller (here we are
using only service name part, because helm installs ingress in
default namespace)
Minikube - if you are using minikube ingress
addon, then you might run into problem where you cannot access
ingress, then just use helm version. (dont disable ingress addon - just install helm version alongside of it)
Get namespaces: kubectl get namespaces
Get service names inside namespace kubectl get services -n [NAMESPACE].

If you have assigned a host name, you also have to provide the domain name and IP address of the cluster to the /etc/hosts file. When you access a service via Ingress from outside the cluster, this is the file that is consulted for host name resolution.
However, a pod running inside a cluster does not have access to this /etc/hosts file. It has its own /etc/hosts file. To use ingress, the pod needs to have the same domain name and IP address entry in it's own /etc/hosts file.
To achieve this, you have to use hostAliases. Here's a sample of how that works:
apiVersion: v1
kind: Pod
metadata:
...
spec:
hostAliases:
- ip:<IP address>
hostnames:
- <host name>
For more detail on hostAliases, go to this link

I have spend so much time on this issue. I found very simple solution. I am using Mac Docker Desktop 3.3.1.
My Kubernetes Version: 1.19.7
I am trying to access UI URL from another pod running in the cluster.
My UI Service
apiVersion: v1
kind: Service
metadata:
name: my-ui-service
spec:
type: LoadBalancer
selector:
app: my-ui
ports:
- protocol: TCP
port: 8080
targetPort: 8080
Ingress for the service
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
spec:
rules:
- host: my-site.com
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: my-ui-service
port:
number: 8080
I have used NGINX Ingress Controller.
Command to run the Ingress Controller:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.48.1/deploy/static/provider/cloud/deploy.yaml
Once the controller is ready run the command to see the status of ingress.
kubectl get ingress
Now see the description of the ingress:
kubectl describe ingress my-ingress
Here you will find
Rules:
Host Path Backends
---- ---- --------
my-site.com
/ my-ui-service:8080 (10.1.2.198:8080)
In any pod in the cluster you can access the domain my-site.com by using my-ui-service:8080.

Inside your cluster your pods use services to reach other pods.
From outside the cluster a client may use ingress to reach services.
Ingress resource allows connection to services.
So your pod need to be reachable by a service (my-svc-N in the following example), which you're going to use in your ingress definition.
Take a look at this example:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: example-ing
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
backend:
serviceName: default-http-backend
servicePort: 80
rules:
- host: my-kube.info
http:
paths:
- path: /
backend:
serviceName: my-svc-1
servicePort: 80
- host: cheeses.all
http:
paths:
- path: /aaa
backend:
serviceName: my-svc-2
servicePort: 80
- path: /bbb
backend:
serviceName: my-svc-3
servicePort: 80