DEV Community

Cover image for Deploying and Managing Contour Ingress Controller on Kubernetes

Deploying and Managing Contour Ingress Controller on Kubernetes

Introduction

In the Kubernetes ecosystem, managing external access to services within your cluster is a critical task. While NGINX is a popular choice for Ingress controllers, Contour, an Envoy-based Ingress controller, offers a powerful alternative with its high performance, scalability, and deep integration with the Envoy proxy. In this post, we’ll guide you through deploying Contour as an Ingress controller on your Kubernetes cluster.

What is Contour?

Contour is a Kubernetes-native Ingress controller that uses Envoy as its data plane. It provides advanced features such as dynamic service discovery, load balancing, and routing for your applications. With Contour, you gain fine-grained control over your traffic management, making it an excellent choice for modern microservices architectures.

Image description

Why Contour?

Contour bridges gaps found in other solutions by offering several key advantages:

  • Dynamic Configuration Updates: Contour dynamically updates Ingress configurations with minimal dropped connections, ensuring high availability and seamless transitions during changes.

  • Multi-Tenancy Support: It safely supports various types of Ingress configurations, making it ideal for multi-team Kubernetes clusters where different teams might have different requirements.

  • Broad Protocol Support: Contour supports multiple Ingress types, including Ingress/v1, HTTPProxy (a custom resource defined by Contour), and the emerging Gateway API, giving you flexibility in managing traffic.

  • Seamless Kubernetes Integration: Contour integrates cleanly with the Kubernetes object model, providing a native experience that leverages the full power of Kubernetes for traffic management.

Prerequisites

Before we begin, ensure you have the following:

  • A running Kubernetes cluster. (Minikube, AKS, EKS, GKE, or any other)

  • kubectl command-line tool configured to interact with your cluster.

  • Helm installed on your local machine.

Step 1: Deploy Contour with Helm

Contour can be deployed quickly using Helm. First, add the Contour Helm repository:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
Enter fullscreen mode Exit fullscreen mode

Now, install Contour with the following command:

helm install contour bitnami/contour --namespace contour --create-namespace
Enter fullscreen mode Exit fullscreen mode

Step 2: Verify the Installation

After the installation is complete, verify that the Nginx Ingress Controller is running:

Check Pods

kubectl get pods -n contour
Enter fullscreen mode Exit fullscreen mode

Check Services

kubectl get svc -n contour
Enter fullscreen mode Exit fullscreen mode

You should see an output indicating that the contour Ingress Controller pods are running and that a service of type LoadBalancer is available.

Step 3: Deploy an Nginx Pod

To demonstrate the functionality of the contour Ingress Controller, we'll deploy a simple Nginx pod and expose it using a service.

Deploy an NGINX Pod
Deploying a pod is straightforward with the kubectl run command. This command creates a deployment with a single NGINX pod.

kubectl run nginx-pod --image=nginx
Enter fullscreen mode Exit fullscreen mode

Expose the NGINX Pod
To access the NGINX pod, you need to expose it. Let’s create a Service of type ClusterIP:

kubectl expose pod nginx-pod --port=80 --type=ClusterIP --name=nginx-service
Enter fullscreen mode Exit fullscreen mode

Step 4: Create a Secret for the SSL Certificate

If you plan to use TLS with your Ingress resource, you need to create a Kubernetes Secret to store your SSL certificate and private key.

Convert SSL Certificate to Base64

First, convert your SSL certificate (tls.crt) and private key (tls.key) to base64:

cat tls.crt | base64
cat tls.key | base64
Enter fullscreen mode Exit fullscreen mode

Create the Secret File:
Create a file named contour-tls-secret.yaml with the following content, replacing and with the actual base64 encoded values:

apiVersion: v1
kind: Secret
metadata:
  name: example-tls
  namespace: default
data:
  tls.crt: <base64 encoded cert>
  tls.key: <base64 encoded key>
type: kubernetes.io/tls

Enter fullscreen mode Exit fullscreen mode

Deploy the Secret:

kubectl create -f contour-tls-secret.yaml
Enter fullscreen mode Exit fullscreen mode

Step 5: Expose Your Application Using Ingress

Create an Ingress resource to expose your application, including TLS configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: contour
spec:
  tls:
  - hosts:
    - example.com
    secretName: example-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80

Enter fullscreen mode Exit fullscreen mode

Apply the configuration:

kubectl apply -f example-ingress.yaml
Enter fullscreen mode Exit fullscreen mode

Step 6: Use HTTPProxy for Advanced Routing and TLS

For more complex scenarios, create an HTTPProxy resource with TLS:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: simple-httpproxy
  namespace: default
spec:
  virtualhost:
    fqdn: example.com
    tls:
      secretName: example-tls-secret
  routes:
  - conditions:
    - prefix: /
    services:
    - name: example-servic
      port: 80

Enter fullscreen mode Exit fullscreen mode

Apply the configuration:

kubectl apply -f example-httpproxy.yaml
Enter fullscreen mode Exit fullscreen mode

Step 7: Verifying Ingress and HTTPProxy Resources

Once you've deployed the Ingress resource or HTTPProxy resource, you can verify their status using the following commands:

Check Ingress Resources:

kubectl get ingress
Enter fullscreen mode Exit fullscreen mode

Check HTTPProxy Resources:

kubectl get httpproxy
Enter fullscreen mode Exit fullscreen mode

Step 8: Configure DNS Entry

After deploying the Contour Ingress resource or the HTTPProxy resource, you need to map your domain name (e.g., example.com) to the external IP address of the Contour Ingress Controller's load balancer.

Get the Load Balancer IP:

Run the following command to get the external IP address

kubectl get svc contour-envoy --namespace contour
Enter fullscreen mode Exit fullscreen mode

Update DNS Record:

Once you have the external IP address, update the DNS record for your domain to point to this IP address. This process will vary depending on your DNS provider, but generally, you will need to create an A record for example.com with the external IP address.

Image description

Image description

Image description

Conclusion

By following these steps, the Contour Ingress Controller is now successfully deployed in your Kubernetes cluster using Helm.

If you have any questions or encounter issues, feel free to comment below. Keep exploring Kubernetes and happy learning!

Top comments (0)