Swisscom Application Platform - Docs

# Manage HTTPS traffic

# Create an HTTPS Ingress / Route

When working with plain Kubernetes deployments (or even Knative apps for that matter), you can create Ingress resources to specify Kubernetes-native HTTP traffic routing, for example:

# new-route.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # these annotations will give us automatic Lets-Encrypt integration with valid public certificates
    cert-manager.io/cluster-issuer: letsencrypt-contour
    ingress.kubernetes.io/force-ssl-redirect: "true"
    kubernetes.io/ingress.class: contour # "contour" is the default ingress class you should use
    kubernetes.io/tls-acme: "true"
  name: my-new-route
  namespace: demo
spec:
  tls:
  - hosts:
    - my-new-route.demo.kube-plus.cloud # hostname / route we want our app to be
    secretName: cf-env-tls
  rules:
  - host: my-new-route.demo.kube-plus.cloud # hostname / route we want our app to be
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: my-svc # Kubernetes "service" name to route traffic towards
            port:
              number: 80

$ kubectl -n demo get services

NAME     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
my-svc   ClusterIP   10.100.156.35   <none>        80/TCP    3d

$ kubectl -n demo apply -f new-route.yaml

$ kubectl -n demo get ingress

NAME           CLASS    HOSTS                                    ADDRESS                                                                      PORTS     AGE
my-new-route   <none>   my-new-route.demo.kube-plus.cloud   a33e7d797ce6249d9b7b51891b9286da-1068130475.eu-central-1.elb.amazonaws.com   80, 443   4m30s

After that your Kubernetes service, or rather the deployment and pods it points towards, will be reachable under the host as specified.

Check out the official documentation on Kubernetes Ingress (opens new window) for more options spec.rules.

# Create an HTTPProxy resource

On the Swisscom Application Platform we are providing you with Contour (opens new window) as a preinstalled Ingress-Controller that manages all this HTTP(S) traffic for you.

If you wish you can also use the Contour-specific custom resource HTTPProxy instead of plain Ingress.

# very-basic-httproxy.yaml
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  annotations:
    projectcontour.io/ingress.class: contour
  name: basic
  namespace: demo
spec:
  virtualhost:
    fqdn: my-httproxy.demo.kube-plus.cloud
  routes:
    - conditions:
      - prefix: /
      services:
        - name: my-svc
          port: 80

NOTE: Make sure you have the set projectcontour.io/ingress.class: contour in the metadata.annotations.

$ kubectl -n demo apply -f very-basic-httproxy.yaml

$ kubectl -n demo get httpproxy

NAME         FQDN
basic        my-httproxy.demo.kube-plus.cloud

Check out the official documentation on Contour HTTPProxy (opens new window) for more information.

# Add apps to system_domain

If you want to add additional components or apps under the system_domain you have to perform the steps described below.

  1. Deploy your app and service onto the kube+ cluster

    # my-demo-service.yaml
    ---
apiVersion: v1
kind: Service
metadata:
  name: my-example
  namespace: example
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: my-example
    app.kubernetes.io/name: my-example

  2. Configure your app as an additional_system_components in the config.yml as described here.

    # config.yml
    additional_system_components:
- name: my-example-app
  hostname: my-example
  endpoint: http://my-example.example.svc.cluster.local:80

  3. Re-deploy / update your kube+ with the new configuration as described here.

  4. Open your browser and go to the URL https://my-example.demo.kube-plus.cloud

Last Updated: 9/12/2022, 7:31:38 PM