Introduction
In the Kubernetes ecosystem, managing external access to services within your cluster is a critical task. While NGINX is a popular choice for Ingress controllers, Contour, an Envoy-based Ingress controller, offers a powerful alternative with its high performance, scalability, and deep integration with the Envoy proxy. In this post, weβll guide you through deploying Contour as an Ingress controller on your Kubernetes cluster.
What is Contour?
Contour is a Kubernetes-native Ingress controller that uses Envoy as its data plane. It provides advanced features such as dynamic service discovery, load balancing, and routing for your applications. With Contour, you gain fine-grained control over your traffic management, making it an excellent choice for modern microservices architectures.
Why Contour?
Contour bridges gaps found in other solutions by offering several key advantages:
Dynamic Configuration Updates: Contour dynamically updates Ingress configurations with minimal dropped connections, ensuring high availability and seamless transitions during changes.
Multi-Tenancy Support: It safely supports various types of Ingress configurations, making it ideal for multi-team Kubernetes clusters where different teams might have different requirements.
Broad Protocol Support: Contour supports multiple Ingress types, including Ingress/v1, HTTPProxy (a custom resource defined by Contour), and the emerging Gateway API, giving you flexibility in managing traffic.
Seamless Kubernetes Integration: Contour integrates cleanly with the Kubernetes object model, providing a native experience that leverages the full power of Kubernetes for traffic management.
Prerequisites
Before we begin, ensure you have the following:
A running Kubernetes cluster. (Minikube, AKS, EKS, GKE, or any other)
kubectl command-line tool configured to interact with your cluster.
Helm installed on your local machine.
Step 1: Deploy Contour with Helm
Contour can be deployed quickly using Helm. First, add the Contour Helm repository:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
Now, install Contour with the following command:
helm install contour bitnami/contour --namespace contour --create-namespace
Step 2: Verify the Installation
After the installation is complete, verify that the Nginx Ingress Controller is running:
Check Pods
kubectl get pods -n contour
Check Services
kubectl get svc -n contour
You should see an output indicating that the contour Ingress Controller pods are running and that a service of type LoadBalancer is available.
Step 3: Deploy an Nginx Pod
To demonstrate the functionality of the contour Ingress Controller, we'll deploy a simple Nginx pod and expose it using a service.
Deploy an NGINX Pod
Deploying a pod is straightforward with the kubectl run command. This command creates a deployment with a single NGINX pod.
kubectl run nginx-pod --image=nginx
Expose the NGINX Pod
To access the NGINX pod, you need to expose it. Letβs create a Service of type ClusterIP:
kubectl expose pod nginx-pod --port=80 --type=ClusterIP --name=nginx-service
Step 4: Create a Secret for the SSL Certificate
If you plan to use TLS with your Ingress resource, you need to create a Kubernetes Secret to store your SSL certificate and private key.
Convert SSL Certificate to Base64
First, convert your SSL certificate (tls.crt) and private key (tls.key) to base64:
cat tls.crt | base64
cat tls.key | base64
Create the Secret File:
Create a file named contour-tls-secret.yaml with the following content, replacing and with the actual base64 encoded values:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: default
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
Deploy the Secret:
kubectl create -f contour-tls-secret.yaml
Step 5: Expose Your Application Using Ingress
Create an Ingress resource to expose your application, including TLS configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: contour
spec:
tls:
- hosts:
- example.com
secretName: example-tls-secret
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
Apply the configuration:
kubectl apply -f example-ingress.yaml
Step 6: Use HTTPProxy for Advanced Routing and TLS
For more complex scenarios, create an HTTPProxy resource with TLS:
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: simple-httpproxy
namespace: default
spec:
virtualhost:
fqdn: example.com
tls:
secretName: example-tls-secret
routes:
- conditions:
- prefix: /
services:
- name: example-servic
port: 80
Apply the configuration:
kubectl apply -f example-httpproxy.yaml
Step 7: Verifying Ingress and HTTPProxy Resources
Once you've deployed the Ingress resource or HTTPProxy resource, you can verify their status using the following commands:
Check Ingress Resources:
kubectl get ingress
Check HTTPProxy Resources:
kubectl get httpproxy
Step 8: Configure DNS Entry
After deploying the Contour Ingress resource or the HTTPProxy resource, you need to map your domain name (e.g., example.com) to the external IP address of the Contour Ingress Controller's load balancer.
Get the Load Balancer IP:
Run the following command to get the external IP address
kubectl get svc contour-envoy --namespace contour
Update DNS Record:
Once you have the external IP address, update the DNS record for your domain to point to this IP address. This process will vary depending on your DNS provider, but generally, you will need to create an A record for example.com with the external IP address.
Conclusion
By following these steps, the Contour Ingress Controller is now successfully deployed in your Kubernetes cluster using Helm.
If you have any questions or encounter issues, feel free to comment below. Keep exploring Kubernetes and happy learning!
Top comments (0)