Private Cloud Console Setup (AWS)
Configure ExternalIngress to access Pangea services
This guide explains how to configure ExternalIngress in a Kubernetes cluster to expose Pangea services, enabling access to the console, APIs, and other services. You can learn more about the Pangea Console here.
If you're familiar with this type of setup, the table below is all you need to proceed. Customize the BaseHost and Kubernetes service names as necessary for your deployment:
| DNS Name | Kubernetes Service | Port |
|---|---|---|
login.<BaseHost> | pangea-cluster-authn | 8001 |
console.<BaseHost> | pangea-cluster-console | 80 |
api.console.<BaseHost> | pangea-cluster-puc-service | 8000 |
*.<BaseHost> | pangea-cluster-gateway | 8000 |
Follow this table to map your DNS names to Kubernetes services. If you need additional guidance or are unfamiliar with this setup, refer to the example configuration below.
Example Setup
The following steps provide an example setup for configuring ExternalIngress. Customize the provided YAML and steps to suit your environment.
Prerequisites
Before you start, ensure the following prerequisites are satisfied:
- Cluster setup: A Kubernetes cluster is already running and
kubectlis configured to manage it. - TLS certificates: You will need TLS certificates to secure your traffic.
- DNS management:
- Use
external-dnsto automate DNS creation. - Alternatively, manually create DNS entries pointing to the load balancer.
- Use
- AWS security groups: Ensure security groups allow HTTP (port 80) and HTTPS (port 443) traffic.
Step 1: Obtain TLS certificates
Install Cert-Manager
- Install cert-manager in your cluster by applying the following YAML manifest:
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml
- Verify that cert-manager is running:
kubectl get pods -n cert-manager
Ensure all pods (such as cert-manager, cert-manager-cainjector, and cert-manager-webhook) are in a Running state.
Create a ClusterIssuer
- Create a
ClusterIssuerresource that cert-manager will use to provision certificates. Replaceyour-email@example.comwith your email address:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: pangea-cluster-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: your-email@example.com
privateKeySecretRef:
name: pangea-cert-key
solvers:
- dns01:
route53:
region: us-east-1
- Apply the
ClusterIssuerto your cluster:
kubectl apply -f cluster-issuer.yaml
Annotate your ingress
Add the following annotation to your ingress configuration to specify the ClusterIssuer created above:
annotations:
cert-manager.io/cluster-issuer: pangea-cluster-issuer
(Optional) Manual certificate creation
If not using cert-manager, manually create your TLS certificates:
- Generate a certificate using your preferred certificate authority.
- Store the certificate in a Kubernetes secret:
kubectl create secret tls pangea-tls --cert=/path/to/tls.crt --key=/path/to/tls.key -n pangea
- Reference this secret in your ingress configuration.
Step 2: Annotate the NGINX controller's service for AWS Load Balancer
To enable external traffic to reach the cluster, annotate the NGINX ingress controller's service with AWS Load Balancer-specific annotations. This ensures the service is exposed via an AWS Network Load Balancer (NLB):
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress-controller
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /health
service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=3600,deregistration_delay.timeout_seconds=120
service.beta.kubernetes.io/aws-load-balancer-ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
service.beta.kubernetes.io/aws-load-balancer-wafv2-acl-arn: arn:aws:wafv2:us-west-2:180197846871:regional/webacl/dev-internal-waf/9266284f-73e8-4452-85e3-b0fbe6fc54e9
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 80
- port: 443
targetPort: 443
selector:
app: nginx-ingress
Apply the updated service configuration:
kubectl apply -f nginx-ingress-service.yaml
Note that these annotations are needed for proper functionality:
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path- Configures the load balancer to use the /health endpoint of each service for health checks.
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing- Ensures the load balancer is publicly accessible and allows DNS entries to be created.
Step 3: Create an ExternalIngress configuration
This step defines the ingress resource that routes external traffic to the appropriate Pangea services in your Kubernetes cluster. The YAML example below performs the following:
- Sets the ingress class: Specifies the use of the NGINX ingress controller.
- TLS configuration: Includes wildcard and specific hosts to ensure encrypted traffic, referencing a Kubernetes secret for certificates.
- Sets up the host rules: Maps DNS names to Kubernetes services and their respective ports. For example:
api.console.pangea.example.comroutes to thepangea-cluster-puc-serviceon port8000.console.pangea.example.comroutes to thepangea-cluster-consoleon port80.login.pangea.example.comroutes to thepangea-cluster-authnon port8001.- Wildcard subdomains (
*.pangea.example.com) route topangea-cluster-gatewayon port8000.
Below is the full YAML configuration:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pangea-cluster-ingress
annotations:
cert-manager.io/cluster-issuer: pangea-cluster-issuer # Specifies the cert-manager ClusterIssuer for TLS
spec:
ingressClassName: nginx # Defines the ingress controller to be used
tls:
- hosts:
- "*.pangea.example.com" # Wildcard host for subdomains
- "api.console.pangea.example.com" # Specific host for API traffic
secretName: pangea-cluster-tls # References the secret storing TLS certificates
rules:
- host: "api.console.pangea.example.com" # Routes API traffic
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pangea-cluster-puc-service
port:
number: 8000
- host: "console.pangea.example.com" # Routes console traffic
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pangea-cluster-console
port:
number: 80
- host: "login.pangea.example.com" # Routes login traffic
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pangea-cluster-authn
port:
number: 8001
- host: "*.pangea.example.com" # Wildcard rule for other subdomains
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: pangea-cluster-gateway
port:
number: 8000
Apply the configuration:
kubectl apply -f pangea-ingress.yaml
Step 4: Verify your setup
Once the ExternalIngress is configured:
-
Wait for DNS propagation:
- Confirm the DNS entries resolve to the load balancer's IP or hostname.
-
Access the console and APIs:
- Open a browser and navigate to
https://console.<BaseHost>. - Use your login credentials to access the Pangea console.
- Open a browser and navigate to
-
Test the APIs:
curl -X POST 'https://api.console.<BaseHost>/v1/ip/check' \
-H 'Authorization: Bearer $SERVICE_TOKEN' \
-H 'Host: embargo.pangea.cloud' \
-d '{\"ip\": \"200.0.16.24\"}'
Monitoring and troubleshooting
Use the following commands to debug your setup:
- Check ingress and load balancer status:
kubectl get ingress -n pangea
kubectl describe ingress pangea-cluster-ingress -n pangea
- Inspect logs:
kubectl logs -n pangea -l app=pangea-ingress
- Fix 403 Errors from
x-request-idHeaders
If any ingress is adding an x-request-id header, it can break authentication. Disable it with:
kubectl apply -f <( kubectl get configmap -n ingress-nginx -o yaml ingress-nginx-controller | yq '.data.generate-request-id = "false"' )
Then restart the ingress controller:
kubectl rollout restart deployment ingress-nginx-controller -n ingress-nginx
Was this article helpful?