I have an aks cluster and I want to install a kong ingress controller with my pre-existing IP address, but I can't find a way to set this value when installing with helm
in value.yaml file, I didn't found any loadBalancerIP value that can be set, but in the _helpers.tpl file, I found some mention for the loadBalancerIP field, but I didn't understand how to pass a value to this file.
thanks
you can just do this:
helm template kong/kong --generate-name --set proxy.loadBalancerIP="yourIP"
Related
I have an ingress-nginx controller installed though helm in a namespace called nginx
My services run in the default namespace
I have a SecretProviderClass in the nginx namespace, which is referenced from the nginx controller yaml in the nginx namespace.
When I deploy an Ingress resource into the default namespace, and I go into the logs of the controller pod, I see
W0930 13:57:10.224167 7 backend_ssl.go:47] Error obtaining X.509 certificate: no object matching key "default/ingress-tls-csi" in local store
Clearly it is looking in the wrong namespace for the secret.
What is the right way to handle this? I have tried to duplicate the SecretProviderClass in the default namespace but it doesn't seem to be creating the secret. I have also tried to point my Ingress to nginx/ingress-tls-csi instead of just ingress-tls-csi but it complains about changing an immutable field when I try to deploy that even if I delete the Ingress resource first.
The docs I am referencing are https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls
Conveniently there they are using the same namespace for the services and the controller. I'd prefer not to do that as the controller needs privilege escalation and I don't want to allow that in the namespace my service run in.
We solve a similar problem using reflector:
https://github.com/EmberStack/kubernetes-reflector
It is a Kubernetes addon that keeps ConfigMaps and Secrets in sync across namespaces.
Install reflector and add the following annotations to the secret you need to have available in the default namespace:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "default"
I have a custom application helm chart with an ingress object which is deployed in production.
Now I need to migrate the ingress source code object from the helm chart to terraform to give control over the object to another team.
Technically no problem with accepting a downtime.
But I want to keep the ingress object from being undeployed by the helm chart during deployment as there is a letsencrypt certificate attached to it.
So is there a possibility to tell helm to keep the ingress object when I remove the ingress in the source of the helm chart during helm upgrade?
found the answer myself in the helm anntotations. https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource
That mean's you deploy the ingress again via helm chart with the annotation "helm.sh/resource-policy": keep.
Then you remove the ingress from the helm chart and redeploy it.
Now the ingress is still deployed in kubernetes but not anymore under control of the helm release.
Next step is to model/code the ingress in terraform and import the resource via terraform import.
Last step is to test with terraform plan if the imported resource corresponds completely with the coded ingress in terraform
That's it.
You can just keep the helm chart as it is and add details into the terraform, I think it will work.
Terraform will run the plan and apply the helm release and if you set helm config to roll out, in that case, if No changes there no update will get applied to resources like ingress, deployment etc.
With terraform, you can use the Helm provider: https://registry.terraform.io/providers/hashicorp/helm/latest/docs
I will create helm repo for customers. But I'm wondering how you solved the ingress domain name, and ssl parts.
Should I create a custom ingress yaml file for each customer?
Or Should set as follows for each customer?
--set "ingress.hosts[0].host=yourhost.com,ingress.hosts[0].paths[0].path=/"
Failed to create NodePort error, after deploying ingress
I have an ingress defined as in the screenshot:
Screenshot
The 2 replicas of an Ingress server are not spinning due to the Failed to create NodePort error. Please advice
Just like the error says. You are missing the NodePortPods CRD. It looks like that CRD existed at some point in time. But I don't see it anymore in the repo. You didn't specify how you deployed the ingress operator but you can make sure you install the latest.
helm repo add appscode https://charts.appscode.com/stable/
helm repo update
helm search repo appscode/voyager --version v13.0.0
# Generate the template to check or use helm install
helm template voyager-operator appscode/voyager --version v13.0.0 --namespace kube-system --no-hooks --set cloudProvider=baremetal 👈 Use the right cloud provider
✌️
I was trying to set up a traefik load balancer as an alternative LB for nginx-ingress. I used the helm chart from https://github.com/helm/charts/tree/master/stable/traefik and installed on my GKE cluster with rbac enabled since I use Kubernetes v1.12:
helm install --name traefik-lb --namespace kube-system --set rbac.enabled=true stable/traefik
My test application's ingress.yaml points to the new ingress class now:
kubernetes.io/ingress.class: "traefik"
What I've seen in the logs is that Traefik reloads its config all the time. I would also like to know if Traefik definitely needs a TLS cert to "just" route traffic.
What I've seen in the logs is that traefik reloads its config all the time.
It should reload every time you change the Ingress resources associated with it (The Traefik ingress controller). If it reloads all the time without any change to your cluster, there may be an issue with Traefik itself or the way your cluster is set up.
I would also like to know if traefik definitely needs a TLS cert to "just" route traffic.
No, it doesn't. This basic example from the documentation shows that
you don't need TLS if you don't want to set it up.