Skip to content
This repository has been archived by the owner on Aug 25, 2021. It is now read-only.

add optional ingress resource #88

Closed
msarmstr opened this issue Dec 17, 2018 · 10 comments
Closed

add optional ingress resource #88

msarmstr opened this issue Dec 17, 2018 · 10 comments
Labels
enhancement New feature or request theme/ingress Related to ingress controllers

Comments

@msarmstr
Copy link

It would be nice if an ingress resource could optionally be configured for the ui, ideally with ability to configure labels, annotations, and TLS.

For example: how it's done in the prometheus-operator chart
@adilyse adilyse added the enhancement New feature or request label Feb 27, 2019
@adilyse
Copy link
Contributor

adilyse commented Feb 27, 2019

Hi @msarmstr,

We're still sorting out how Ingresses interact with Consul in Kubernetes, so I don't have a full answer for you. However, I just merged #105 that should allow a fair amount of flexibility in providing additional ways to configure the UI service to be accessed.

@zinref zinref mentioned this issue Mar 10, 2019
Closed
@lkysow lkysow added the theme/ingress Related to ingress controllers label Sep 19, 2019
@botzill
Copy link

botzill commented Oct 16, 2019

Hi.

Any updates on this issues?

@carpenike
Copy link

@adilyse -- looks like those changes enable annotations on a service, not the creation of an ingress object.

Suggest referencing a solution such as the one used by Minio:

https://github.com/helm/charts/blob/master/stable/minio/templates/ingress.yaml

This would allow for an ingress object to be created if the value is set. The actual ingress object is farily simple, mine is here:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: consul
  namespace: kube-system
  labels:
    app.kubernetes.io/name: consul
spec:
  rules:
  - host: consul.DOMAIN
    http:
      paths:
      - path: /
        backend:
          serviceName: consul-consul-ui
          servicePort: 80

I can pull together a PR if you guys would be willing to review it.

@hannahhearth
Copy link

The Consul team is looking for more feedback on the Consul Helm Chart. If any of you have 3 minutes, consider filling out our survey.

@jomcyp
Copy link

jomcyp commented Nov 6, 2020
edited
Loading

We have deployed Consul 1.8.4 using this helm chart ,which created a service for web-ui named as "consul-primary-ui" .To expose the ui we are creating the following ingress object , Unfortunately we are getting "404 page not found " .
Did any one try to make it work with ingress ?


apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: consul-primary-ui
  namespace: consul
  annotations:
    kubernetes.io/ingress.class: "traefik"
spec:
  rules:
  - http:
      paths:
      - path: /*
        backend:
          serviceName: consul-primary-ui
          servicePort: 443

@carpenike
Copy link

@jomcyp -- is the service port (443) correct? Is the consul service itself configured to do TLS?

@ishustava
Copy link
Contributor

Hey @jomcyp

I'm not sure that the /* is supported by ingress, unless this is something specific to traefik. It seems that you should either specify /ui as an exact path, which the path at which consul's UI is served, or expose all paths by using path of type pathPrefix with / prefix.

@jomcyp
Copy link

jomcyp commented Nov 10, 2020
edited
Loading

Thank you for the response
@carpenike Yes, We configured the service port as 443 for consul_primary_ui and TLS is enabled through helm chart.
see the service manifest below

kind: Service
apiVersion: v1
metadata:
  name: consul-primary-ui
  namespace: consul
  labels:
    app: consul
    app.kubernetes.io/managed-by: Helm
    chart: consul-helm
    component: ui
    heritage: Helm
    release: consul-cluster
  annotations:
    meta.helm.sh/release-name: consul-cluster
    meta.helm.sh/release-namespace: consul
spec:
  ports:
    - name: https
      protocol: TCP
      port: 443
      targetPort: 8501
  selector:
    app: consul
    component: server
    release: consul-cluster
  clusterIP: 172.20.15.4
  type: ClusterIP

I am able to access consul web ui with https , when i do kubectl port-forward at service level
kubectl port-forward svc/consul-primary-ui -n <consul-ns> 1234:443

@ishustava
I have tried with /* and /ui and / , but they all come back to 404 page not found .

Do we need to pass tls certificate through ingress object ? When I enabled tls with helm chart by default its using consul built-in CA to generate the certificates.

@ishustava
Copy link
Contributor

@jomcyp

I've just remembered that the Kubernetes ingress doesn't support TLS on the backend, meaning TLS termination has to be done at the ingress controller, and the traffic from ingress to the backend pod (in this case consul servers) is in plaintext. Here are the kubernetes docs that mention that.

I know that some ingress controllers, e.g. NGINX, allow TLS passthrough. I saw from your annotations that you're using traefik and found this blog that talks about how to enable TLS passthrough. Ultimately, you'd need to check with the specific ingress implementation on whether they support TLS passthrough or turn off TLS on the consul cluster.

@thisisnotashwin
Copy link

Addressed by #774

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request theme/ingress Related to ingress controllers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@msarmstr @lkysow @carpenike @botzill @hannahhearth @ishustava @jomcyp @adilyse @thisisnotashwin