Accessing our applications from the outside world
We don’t want every one of applications (Drupal, but also eventually others) to manage how they are exposed to the outside world, but rather all be exposed using the same IP and automatic encrypted URLs using wildcard subdomains.
Following the principle of separation of concerns, we don’t want to install LetsEncrypt, and manage domains and virtual hosts, for each application. Rather, we will put in place a traffic cop which will manage HTTPS encryption and, based on the requested domain and path, load up the application we want.
Kubernetes uses the term ingress to refer to a pathway from the outside world to the cluster. (If you did not understand this sentence, refer to the glossary!)
We will use Nginx to act as our traffic cop, also called reverse proxy, which means that it stands between the outside world and our applications. (A proxy is something else entirely, it is the opposite of a reverse proxy.)
Installing a traffic cop
Lucky for us, the Nginx ingress is just another helm chart, as described in the Kubernetes NGINX Ingress Controller installation guide:
helm upgrade --install traffic-cop ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace
After a few seconds you’ll see a bunch of output which we can ignore for now.
Now we can find out the public IP of the reverse proxy service (in Kubernetes, a service is basically a running application):
kubectl get services --namespace ingress-nginx | grep traffic-cop
# traffic-cop-nginx-ingress-controller LoadBalancer 10.245.137.97 <pending> 80:32524/TCP,443:30090/TCP 55s
# traffic-cop-nginx-ingress-default-backend ClusterIP 10.245.189.153 <none> 80/TCP 55s
We’re looking for the public IP of our service. In the above output, the public IP is still <pending>. After a minute or so the public IP should be assigned, so run kubectl again until you see it. For example:
kubectl get services --namespace ingress-nginx | grep traffic-cop
# traffic-cop-nginx-ingress-controller LoadBalancer 10.245.137.97 167.172.10.117 80:32524/TCP,443:30090/TCP 1m
# traffic-cop-nginx-ingress-default-backend ClusterIP 10.245.189.153 <none> 80/TCP 1m
In the above example, the public IP is 167.172.10.117. In your case, this will differ, of course. Trying to visit that IP on a webserver will result in an empty page with content like “default backend - 404”. This is because we haven’t yet told the reverse proxy how to direct traffic to specific services:
curl 167.172.10.117
# default backend - 404
This $10-a-month LoadBalancer is now all we need for all our applications, rather than one-per-application using the previous method. Don’t you just love saving money?