From 55c8d247a2f466d98a834892362ba00d4787ba7c Mon Sep 17 00:00:00 2001
From: Ahmed Sabbour <103856+sabbour@users.noreply.github.com>
Date: Wed, 3 Oct 2018 21:52:09 +0400
Subject: [PATCH] Updated Private ingress docs (#6)

* Updated private ingress docs
---
 Networking_PrivateIngress.md                  | 134 ++++++++++++++++++
 Operational_Excellence.md                     |   2 +-
 networking/internal_ingress_values.yaml       |   5 +
 .../sample_internal_ingress_deployment.yaml   |  52 +++++++
 4 files changed, 192 insertions(+), 1 deletion(-)
 create mode 100644 Networking_PrivateIngress.md
 create mode 100644 networking/internal_ingress_values.yaml
 create mode 100644 networking/sample_internal_ingress_deployment.yaml

diff --git a/Networking_PrivateIngress.md b/Networking_PrivateIngress.md
new file mode 100644
index 0000000..9889fb2
--- /dev/null
+++ b/Networking_PrivateIngress.md
@@ -0,0 +1,134 @@
+# Private ingress
+
+    > Running services with an ingress behind an internal load balancer
+
+Table of Contents
+=================
+
+* [Networking](./Networking.md)
+  * Private Ingress
+
+You may want to use an Ingress controller to expose services, because you want to use its HTTP Layer 7 load balancinc features, SSL terminations, etc. but do so over an internal IP without exposing it externally.
+
+An Ingress controller creates a Kubernetes Service in the background, so the trick here would be to create a new Ingress controller and annotate it to create a Service backed up by an Internal Azure Load Balancer.
+
+For this example, you're going to provision a new nginx ingress controller using Helm. You can take a look at the [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) repository to figure out all the parameters but essentially, there are two important ones:
+
+1. `controller.ingressClass`: you'd want to set this to a value that you'll use later on, like `nginx-internal`
+1. `controller.service.annotations`: you'll use this to annotate the backing Kubernetes Service to use an internal load balancer.
+
+Create a [`values.yaml`](networking/internal_ingress_values.yaml) file with the content below:
+
+```yaml
+controller:
+  ingressClass: nginx-internal
+  service:
+    annotations:
+      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+```
+
+For RBAC-enabled AKS clusters run the command below:
+
+```sh
+helm install stable/nginx-ingress --name nginx-ingress-internal --namespace ingress-controllers -f values.yaml
+```
+
+For AKS clusters with RBAC disabled, run the command below:
+
+```sh
+helm install stable/nginx-ingress --name nginx-ingress-internal --namespace ingress-controllers -f values.yaml --set rbac.create=false
+```
+
+Wait for the new internal Azure Load Balancer to be provisioned and note the "external" IP, which is actually a private IP from your Virtual Network.
+
+```sh
+kubectl get services nginx-ingress-internal-controller  --namespace ingress-controllers -w
+
+NAME                                TYPE           CLUSTER-IP    EXTERNAL-IP   PORT(S)                      AGE
+nginx-ingress-internal-controller   LoadBalancer   10.0.167.34   10.240.0.66    80:30291/TCP,443:31842/TCP   31s
+```
+
+Deploy [the sample](networking/sample_internal_ingress_deployment.yaml) below. Notice the `ingress.class` used.
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: frontend
+  name: frontend
+spec:
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+      - name: frontend
+        image: nginx:1.7.9
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: frontend
+  name: frontend-service
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: frontend
+  type: ClusterIP
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx-internal
+  name: frontend-ingress
+spec:
+  rules:
+    - host: www.example.com
+      http:
+        paths:
+          - backend:
+              serviceName: frontend-service
+              servicePort: 80
+            path: /
+```
+
+Finally test by running a pod and using it to curl the internal ingress IP:
+
+```sh
+kubectl run -it --rm aks-ingress-test --image=debian
+```
+
+Install `curl` in the pod using `apt-get`:
+
+```sh
+apt-get update && apt-get install -y curl
+```
+
+Now use `curl` to access the internal IP of your ingress controller, providing the Host Header information as per the ingress specification. Note that your IP address may be different than the below:
+
+```
+curl -L http://10.240.0.66 -H "Host: www.example.com"
+```
+
+You should get the nginx welcome page
+
+```html
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome to nginx!</title>
+...
+```
\ No newline at end of file
diff --git a/Operational_Excellence.md b/Operational_Excellence.md
index 9c95772..fa94a85 100644
--- a/Operational_Excellence.md
+++ b/Operational_Excellence.md
@@ -42,7 +42,7 @@ Table of Contents
   * AKS master components
   * acs-engine
 * Networking
-  * Public and Private Ingresses
+  * [Private Ingress](Networking_PrivateIngress.md)
 * Identity and permissions
   * Azure RBAC roles
   * Kubernetes RBAC
diff --git a/networking/internal_ingress_values.yaml b/networking/internal_ingress_values.yaml
new file mode 100644
index 0000000..ab87699
--- /dev/null
+++ b/networking/internal_ingress_values.yaml
@@ -0,0 +1,5 @@
+controller:
+  ingressClass: nginx-internal
+  service:
+    annotations:
+      service.beta.kubernetes.io/azure-load-balancer-internal: "true"
\ No newline at end of file
diff --git a/networking/sample_internal_ingress_deployment.yaml b/networking/sample_internal_ingress_deployment.yaml
new file mode 100644
index 0000000..c385303
--- /dev/null
+++ b/networking/sample_internal_ingress_deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: frontend
+  name: frontend
+spec:
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+      - name: frontend
+        image: nginx:1.7.9
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: frontend
+  name: frontend-service
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: frontend
+  type: ClusterIP
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx-internal
+  name: frontend-ingress
+spec:
+  rules:
+    - host: www.example.com
+      http:
+        paths:
+          - backend:
+              serviceName: frontend-service
+              servicePort: 80
+            path: /
\ No newline at end of file