Configuration parameters
Figure 1 FortiADC Ingress Controller
FortiADC Authentication Secret
As shown in Figure 1, FortiADC Ingress Controller satisfies an Ingress by FortiADC REST API call, so the authentication parameters of FortiADC must be known to FortiADC Ingress Controller.
To preserve the authentication securely on the Kubernetes cluster, you can save it with the Kubernetes secret.
For example:
kubectl create secret generic fad-login -n [namespace] \ --from-literal=username=admin --from-literal=password=[admin password]
The secret is named fad-login. This value will be specified in the Ingress annotation "fortiadc-login" for FortiADC Ingress Controller to get permission access on FortiADC.
|
The namespace of the authentication secret must be the same as the Ingress which references this authentication secret. |
Annotation in Ingress
Configuration parameters are required to be specified in the Ingress annotation to enable FortiADC Ingress Controller to determine how to deploy the Ingress resource.
|
Parameter |
Description |
Default |
|---|---|---|
| fortiadc-ip |
The Ingress will be deployed on FortiADC with the given IP address. Note: This parameter is required. |
|
|
fortiadc-login |
The Kubernetes secret name preserves the FortiADC authentication information. Note: This parameter is required. |
|
| fortiadc-vdom |
Specify which VDOM to deploy the Ingress resource if VDOM is enabled on FortiADC. |
root |
| fortiadc-ctrl-log |
Enable/disable theFortiADC Ingress Controller log. Once enabled, FortiADC Ingress Controller will print the verbose log the next time the Ingress is updated. |
enable |
| virtual-server-ip |
The virtual server IP of the virtual server to be configured on FortiADC. This IP will be used as the address of the Ingress. Note: This parameter is required. |
|
|
virtual-server-interface |
The FortiADC network interface for the client to access the virtual server. Note: This parameter is required. |
|
|
virtual-server-port |
Default is 80. If TLS is specified in the Ingress, then the default is 443. Note: If the fortiadc-ip is the same as the virtual-server-ip, you should specify virtual-server-port to be other than 80/443 or change the system default reserved HTTP/HTTPS port on FortiADC. For more details, see the FortiADC Handbook on Management service ports. |
80 for HTTP service. 443 for HTTPS service. |
|
load-balance-method |
Specify the predefined or user-defined method configuration name. For more details, see the FortiADC Handbook on load balancing methods. |
LB_METHOD_ROUND_ROBIN |
|
load-balance-profile |
Default is LB_PROF_HTTP. If TLS is specified in the Ingress, then the default is LB_PROF_HTTPS. |
LB_PROF_HTTP LB_PROF_HTTPS |
|
virtual-server-addr-type |
IPv4 or IPv6. |
ipv4 |
|
virtual-server-traffic-group |
Specify the traffic group for the virtual server. For more details, see the FortiADC Handbook on traffic groups. |
default |
|
virtual-server-nat-src-pool |
Specify the NAT source pool. For more details, see the FortiADC Handbook on NAT source pools. |
|
|
virtual-server-waf-profile |
Specify the WAF profile name. For more details, see the FortiADC Handbook on WAF profiles. |
|
|
virtual-server-av-profile |
Specify the AV profile name. For more details, see the FortiADC Handbook on AV profiles. |
|
|
virtual-server-dos-profile |
Specify the DoS profile name. For more details, see the FortiADC Handbook on DoS profiles. |
|
|
virtual-server-captcha-profile |
Specify the Captcha profile name. For more details, see the FortiADC Handbook on Captcha profiles. Note: This field is available if WAF profile or DoS profile is specified. |
|
|
virtual-server-fortiview |
Enable/disable FortiView. |
disable |
|
virtual-server-traffic-log |
Enable/disable the traffic log. |
disable |
|
virtual-server-wccp |
Enable/disable WCCP. For more details, see the FortiADC Handbook on WCCP. |
disable |
|
virtual-server-persistence |
Specify a predefined or user-defined persistence configuration name. For more details, see the FortiADC Handbook on persistence rules. |
|
For more details on configuring parameters with virtual-server prefix and load-balance prefix, please reference FortiADC Handbook on Configuring virtual servers.
Annotation in Service
You can define the health check profile and SSL profile in the Kubernetes service annotation.
The health check profile and SSL profile will be automatically configured in the corresponding real server pool on FortiADC.
|
Parameter |
Description |
Default |
|---|---|---|
| health-check-ctrl | Enable/disable the health checking for the real server pool. | disable |
| health-check-relation |
|
|
| health-check-list |
One or more health check configuration names. Concatenate the health check names with a space between each name. For example: "LB_HLTHCK_ICMP LB_HLTHCK_HTTP". For more details, see the FortiADC Handbook on health checks. |
|
| real-server-ssl-profile |
Specify the real server SSL profile name. Real server profiles determine settings for communication between FortiADC and the backend real servers. The default is NONE, which is applicable for non-SSL traffic. For more details, see the FortiADC Handbook on SSL profiles. |
NONE |
Here is an example service.yaml with health check parameters:
kind: Service
apiVersion: v1
metadata:
labels:
name: default-http-backend
namespace: default
annotations: {
"health-check-ctrl" : "enable",
"health-check-relation" : "OR",
"health-check-list" : "LB_HLTHCK_ICMP",
"real-server-ssl-profile" : "NONE"
}
spec:
type: NodePort
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
sessionAffinity: None