To make AGILITY accessible from outside the cluster, various options can be used to expose the agility ClusterIP Kubernetes service. You can leverage the following Kubernetes constructs that align with your predefined guidelines. This includes:
Consider your specific network infrastructure, cloud provider capabilities, and security requirements when choosing the appropriate method to expose AGILITY.
agility ClusterIP Kubernetes service can be listed on a deployed environment like the following example:
kubectl -n agility get svc agility
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
agility ClusterIP 10.96.129.54 <none> 80/TCP 39d
This service is listening at tcp/80 port and its application protocol is HTTP.
ℹ️ Note
HTTPprotocol is not encrypted and in consequence there is no TLS termination on it.
Using any of the options, it is strongly recommended to declare the hostname to access AGILITY. This is to avoid the Open Redirect vulnerability. The following sections include the cv.hostname which ensures the application will be only accessible from the declared hostname.
The following ingress manifest is an example how an ingress controller can be configured to expose AGILITY.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-buffer-size: 256k
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
name: agility
spec:
ingressClassName: nginx
rules:
- host: agility.example.com
http:
paths:
- backend:
service:
name: agility
port:
name: http
path: /cv
pathType: Prefix
tls:
- hosts:
- agility.example.com
secretName: agility.example.com-tls
This ingress manifest creation can be managed by the agility helm chart.
Deploy the AGILITY application chart
Create an override values file (options available in the AGILITY chart):
cd agility-charts
cat <<EOF> agility-values-public-access.yaml
cv:
hostname: agility.example.com
ingress:
enabled: true
hostname: agility.example.com
tls: true
existentSecret: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 256k
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
EOF
ℹ️ When
ingress.existentSecretistrue, TLS kubernetes secret name must have the following name:<ingress.hostname>-tls
Run the Helm command to deploy AGILITY:
helm --namespace agility upgrade --install --create-namespace agility ./agility --values agility-values-public-access.yaml
If it is desired to define the agility service as a load balancer type
Deploy the AGILITY application chart
Create an override values file (options available in the AGILITY chart):
cd agility-charts
cat <<EOF> agility-values-public-access.yaml
cv:
hostname: agility.example.com
service:
type: LoadBalancer
EOF
Run the Helm command to deploy AGILITY:
helm --namespace agility upgrade --install --create-namespace agility ./agility --values agility-values-public-access.yaml
To consider:
service.annotations object. This can be useful for certain environments that requires annotations to manage LoadBalancer options.service.nodePorts.http section.If it is desired to define the agility service as a node port type
Deploy the AGILITY application chart
Create an override values file (options available in the AGILITY chart):
cd agility-charts
cat <<EOF> agility-values-public-access.yaml
cv:
hostname: agility.example.com
service:
type: NodePort
EOF
Run the Helm command to deploy AGILITY:
helm --namespace agility upgrade --install --create-namespace agility ./agility --values agility-values-public-access.yaml
To consider:
service.annotations object. This can be useful for certain environments that requires annotations to manage LoadBalancer options.service.nodePorts.http section.