Google Kubernetes Engine (GKE)
To use the ngrok Kubernetes Operator with Google Kubernetes Engine:
Introduction
The ngrok Kubernetes Operator is our official open-source controller for adding public and secure ingress traffic to your k8s services. It works out of the box with Google Kubernetes Engine cluster to provide ingress to your services no matter the network configuration, as long as it has outbound access to the ngrok service. This allows ngrok to be portable and work seamlessly across any type of infrastructure.
Step 1: Ensure kubectl can speak with your cluster
With a Google Kubernetes Engine (GKE) cluster, authentication for kubectl happens with a credential helper. So in-order to deploy the ngrok Kubernetes Operator to your cluster, you'll need to ensure that you can use the gcloud CLI and that the credential helper is available.
Let's ensure that you have the gcloud CLI installed and configured with your Google Cloud credentials. You can confirm this works and you're authenticated correctly by running the following command:
Loading…
If you see your correct Google account listed, you should be all set. If not, you can run gcloud auth login to authenticate with your Google account.
Next, we'll ensure that the credential helper is available. Run the following command to confirm that the credential helper is available:
Loading…
Finally, we can add the cluster to our KUBECONFIG:
Loading…
Step 2: Install the ngrok Kubernetes Operator
Now we can install the ngrok Kubernetes Operator to provide ingress to our services. We'll use Helm to install the ngrok Kubernetes Operator into our cluster.
-
Add the ngrok Kubernetes Operator Helm repo
Loading…
-
Set your environment variables with your ngrok credentials. Replace
[AUTHTOKEN]and[API_KEY]with your Authtoken and API key for your account.Loading…
-
Next, we'll install the ngrok Kubernetes Operator into our cluster.
Loading…
-
Verify the ngrok Kubernetes Operator is installed and all its pods are healthy
Loading…
Step 3: Install a Sample Application
Create a manifest file (for example ngrok-manifest.yaml) with the following contents. You will need to replace the NGROK_DOMAIN on line 45 with your own custom value. This is the URL you will use to access your service from anywhere. If you're on a free account, it must be on a static subdomain which you can claim by logging into your account and following the instructions on the claim static subdomain banner. For paid accounts, you can use a custom domain or a subdomain of ngrok.app or ngrok.dev (for example, username-loves-ingress.ngrok.app or k8s.example.com).
- Lines 1-34: Create the 2048 app service and deployment
- Lines 35-54 (highlighted): Create the ngrok Kubernetes Operator. Line 45 determines the ingress URL for public requests.
Loading…
-
Apply the manifest file to your k8s cluster.
Loading…
Note: If you get an error when applying the manifest, double check that you've updated the
NGROK_DOMAINvalue and try again. -
To confirm the manifest is successfully applied, go to the ngrok Dashboard and click Edge Configurations. You should see a new Edge Configuration for your cluster with the name matching your URL (1) — for example:
my-awesome-k8s-cluster.ngrok.app. Also note that your some of your cluster configurations are presented int the dashboard as annotations (2).
-
Access your ingress URL using the subdomain you chose in the manifest file above (i.e.
https://my-awesome-k8s-cluster.ngrok.app) to confirm the 2048 app is accessible from the internet. If you forgot what url you chose, you can always runkubectl get ingresses --namespace=ngrok-ingress-controllerto see what it is.
Step 4: Add edge security to your app
The ngrok Kubernetes Operator provides custom resource definitions (CRDs) for additional edge features available in ngrok. In this example, we're expanding the Operator with Google OAuth to allow access only from users with the email domains @acme.com or @ngrok.com and to apply a circuit breaker to your app at 80% (requires a paid account). These features are enforced at the ngrok edge, ensuring only authorized users can access your app.
As before, you will need to update line 46 of this manifest with your NGROK_DOMAIN in the Ingress object.
This example is very similar to the previous version, with the following changes:
- Lines 41-42: Associates your Operator with the configuration
oauth-and-circuit-breakingvia annotation - Lines 57-75: Sets the edge configuration as a custom CRD (NgrokModuleSet).
- Lines 64-69: Sets the circuit breaker module over 50% threshold.
- Lines 70-74: Sets the OAuth module to allow access only for users with the email domains
@acme.comor@ngrok.com.
Loading…
-
Save your file and reapply the manifest file:
Loading…
Note: Again, if you get an error when applying the manifest, double check that you've updated the
NGROK_DOMAINvalue and try again. -
To confirm the circuit breaking configuration is successfully applied:
-
Go to ngrok Dashboard > Edge Configurations.
-
Click the edge configuration that matches your URL.
-
On the left hand side, click Circuit Breaker.
-
Notice how the circuit breaker configuration matches your manifest file.
-
Click OAuth and confirm how the oauth configuration matches your manifest file.
-
-
Access your App and confirm that you got the expect authentication behavior:
