On this page you can find a selection of some examples to get easier onboard with lingress.
Note
Please refer setup and configuration for a better context.
Note
Usually an external load balancer is used. In those cases lingress will not be connected directly to the clients. Therefore, lingress will see as the remote IP, the IP of the load balancer and not of the client itself. To solve that, many load balancers implements the PROXY protocol, which is also supported by lingress.
To enable the PROXY protocol support, we need:
- Tell the load balancer to wrap the TCP packages accordingly. Be aware: Each load balancer works differently. Study the according documentation.
- Tell lingress to evaluate them.
- With AWS EKS:
helm upgrade --install --atomic -n kube-system lingress echocat/lingress \ --set-json 'service.annotations={"service.beta.kubernetes.io/aws-load-balancer-target-group-attributes":"proxy_protocol_v2.enabled=true"}' \ --set-json 'controller.args=["--server.http.proxyProtocol.respect","--server.https.proxyProtocol.respect"]' - With OVHcloud Managed Kubernetes:
helm upgrade --install --atomic -n kube-system lingress echocat/lingress \ --set-json 'service.annotations={"service.beta.kubernetes.o/ovh-loadbalancer-proxy-protocol":"v2"}' \ --set-json 'controller.args=["--server.http.proxyProtocol.respect","--server.https.proxyProtocol.respect"]'
Note
By default lingress will NOT have any certificates for TLS configured. Assuming now you have cert-manager part of your cluster to managing certificates for you.
- Have cert-manager installed.
- Have a certificate inside your cluster, like:
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: my-tls-ceritificate namespace: my-namespace spec: dnsNames: - my-domain.org issuerRef: kind: ClusterIssuer name: my-issuer secretName: my-tls-ceritificate secretTemplate: labels: # This label will we be afterward part the created secret. # ...and will tell lingress to find these secrets. my-public-tls-certificates: "true"
- Configure lingress accordingly
helm upgrade --install --atomic -n kube-system lingress echocat/lingress \ --set-json 'controller.args=["--tls.secretLabelSelector=my-public-tls-certificates=true"]'
Note
By default lingress runs with Deployments. This is great by default. You define the Helm value controller.replicas=<amount> and lingress will run at these amount of replicas. Also rolling updates are working out-of-the-box. But in some scenarios you want that each node runs its own instance. In can improve the latency of all requests.
helm upgrade --install --atomic -n kube-system lingress echocat/lingress \
--set-string 'controller.kind=DaemonSet'