August 15, 2023
|
5
min read

Kubernetes Ingress with ngrok and HashiCorp Consul

Scott McAllister

Providing public ingress to a HashiCorp Consul service mesh running in Kubernetes is a process that usually requires the configuration of multiple Ingress controllers, each handling various functions such as load balancing or authentication. ngrok reduces that complexity by providing all the necessary aspects of ingress in a single controller.

This blog post will show how easy it is to get your service mesh online. We’ll cover the highlights here. For step-by-step instructions check out the Ingress to services in a Consul Service Mesh on Kubernetes integration guide. To illustrate the powerful combination of using Consul, Kubernetes, and ngrok together let’s dive into a possible real-world scenario. 

Let’s suppose you have recently opened a coffee shop that has become quite popular thanks to its unique flavor and style. To better serve your customers you develop an application to allow for online ordering. The app uses a service-oriented architecture and implements Consul to better manage the communication and discovery of these services. 

Throughout development, you use the ngrok agent to get your application online for testing and getting feedback from customers. Afterall, you are no network engineer and don’t have the time to figure out how to quickly deploy your application for others to see. You run <code>ngrok http</code> and then point it at whatever port our Kubernetes cluster is exposing, and your application is online.

While the ngrok agent is easy, it is very temporary. Whenever you close the ngrok agent your application goes offline. This is fine during development, but not in production. Going live on production will require a much more permanent solution.

As you prepare for moving your application to production you successfully provision a Kubernetes cluster running Consul service mesh thanks to HashiCorp’s Consul and Kubernetes deployment guide. However, the additional work to create ingress and get the production application online is a task that proves to be daunting.

You know you have to configure network interfaces, load balancing, and authentication. And, you need to figure out how all those settings place nice with one another. While you search for solutions to accomplish all this network configuration you discover you can utilize ngrok in production with the ngrok Ingress Controller for Kubernetes. The ingress controller provides secure and consistent connectivity to your cluster while also taking care of load balancing and authentication. The controller follows the expected patterns of other Kubernetes controllers, like being managed through Helm as a Helm chart. In fact, it’s through Helm that you connect ngrok with Consul. 

To proxy traffic to your service, you simply add the ngrok Ingress Controller pods to the Consul service mesh by using pod annotations when you install the Helm chart. You’ll use the following two notations to enable the Consul Connect sidecar and allow outbound traffic to use the Consul mesh.

# This annotation is required to enable the Consul Connect sidecar injector
consul.hashicorp.com/connect-inject: "true"

# This is the CIDR of your Kubernetes API: `kubectl get svc kubernetes --output jsonpath='{.spec.clusterIP}'
consul.hashicorp.com/transparent-proxy-exclude-outbound-cidrs: "10.96.0.1/32"

 You add these notations as <code class="language-bash">--set</code> arguments when you install the ngrok-ingress-controller Helm chart. The <code class="language-bash">connect-inject</code> value uses a <code class="language-bash">set-string</code>, while the <code class="language-bash">transparent-proxy-exclude-outbound-cidrs</code> uses the <code class="language-bash">--set</code> argument. Everything put together, the install statement would look something like this.

helm install ngrok-ingress-controller ngrok/kubernetes-ingress-controller \
  --namespace consul \
  --set fullnameOverride=ngrok-ingress-controller \
  --set credentials.apiKey=$NGROK_API_KEY \
  --set credentials.authtoken=$NGROK_AUTHTOKEN \
  --set-string podAnnotations.consul\\.hashicorp\\.com/connect-inject=true \
  --set podAnnotations."consul\.hashicorp\.com/transparent-proxy-exclude-outbound-cidrs"="10.96.0.1/32"

With the Helm charts installed, you configure ngrok through a standard <code class="language-yaml">Ingress</code> definition like the one below.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-consul	
  namespace: consul
spec:	
  ingressClassName: ngrok	
  rules:	
    - host: codercoffee.ngrok.io
      http:			
        paths:			
        - path: /
          pathType: Prefix
          backend:          
            service:            
              name: frontend
              port:
                number: 3000      
        - path: /api
          pathType: Prefix
          backend:          
            service:            
              name: public-api            
              port:            	
                number: 8080

You specify <code class="language-yaml">ngrok</code> as the <code class="language-yaml">ingressClassName</code> and then apply some rules to provide ingress to your services. The value for <code class="language-yaml">host</code> is any domain you own. In this case, we’re using <code class="language-yaml">codercoffee.ngrok.io</code>. However, if you’re using at least a Personal plan for your ngrok account, you can also set up your own custom domain. You can find out how in our how to set up a custom domain guide. Next, there are settings for two paths, one for a front end service and another for the API. 

Now, when you launch your cluster, the ngrok Ingress Controller initiates a secure and persistent outbound TLS connection to ngrok’s Cloud Edge platform. Your cluster sends the configuration requirements from your manifest file and then ngrok sets up your configuration across all of our global points of presence in seconds. 

That’s all you need to get your application online. And, thanks to ngrok, you can run your Kubernetes cluster in any environment–on your laptop, on a server at the coffee shop, or in a cloud provider–and you won’t need to change any of your network settings. 

As mentioned earlier, this story only highlighted some of the benefits of running the ngrok Ingress Controller for Kubernetes alongside HashiCorp’s Consul. For a detailed guide, with step-by-step instructions on how to set up the ngrok Ingress Controller with Kubernetes and a Consul service mesh, take a look at the Ingress to services in a Consul Service Mesh on Kubernetes integration guide. 

Share this post
Scott McAllister
Scott McAllister is a Developer Advocate for ngrok. He has been building software in several industries for over a decade. Now he's helping others learn about a wide range of web technologies and incident management principles. When he's not coding, writing or speaking he enjoys long walks with his wife, skipping rocks with his kids, and is happy whenever Real Salt Lake, Seattle Sounders FC, Manchester City, St. Louis Cardinals, Seattle Mariners, Chicago Bulls, Seattle Storm, Seattle Seahawks, OL Reign FC, St. Louis Blues, Seattle Kraken, Barcelona, Fiorentina, Borussia Dortmund or Mainz 05 can manage a win.