Fortinet black logo

Ingress Controller Installation Guide

Home FortiWeb 7.4.0 Ingress Controller Installation Guide
7.4.0
7.4.1
7.4.0

Deployment

Deployment

Deploy the Pods and expose the Services

Service1:
kubectl apply -f https://raw.githubusercontent.com/fortinet/fortiweb-ingress/main/service_examples/service1.yaml
Service2:
kubectl apply -f https://raw.githubusercontent.com/fortinet/fortiweb-ingress/main/service_examples/service2.yaml

Check the service1 and service2 you have deployed.

kubectl get service

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service1               NodePort    10.111.143.250   <none>        1241:31320/TCP   10m

service2               NodePort    10.109.117.79    <none>        1242:32075/TCP   2m59s

Deploy the Ingress

Define the Simple-fanout Ingress resource.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-fanout-example
  annotations: {
    "fortiweb-ip" : "172.23.133.148",
    "fortiweb-login" : "fwb-login1",
    "fortiweb-ctrl-log" : "disable",
    "virtual-server-ip" : "192.23.133.6",
    "virtual-server-addr-type" : "ipv4",
    "virtual-server-interface" : "port2",
    "server-policy-web-protection-profile" : "Inline Standard Protection",
    "server-policy-https-service" : "HTTPS",
    "server-policy-http-service" : "HTTP",
    "server-policy-syn-cookie" : "enable",
    "server-policy-http-to-https" : "disable"
  }
spec:
  ingressClassName: fwb-ingress-controller
  rules:
  - host: test.com
    http:
      paths:
      - path: /info
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 1241
      - path: /hello
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 1242

Deploy it with kubectl command.

kubectl apply -f simple-fanout.yaml

ingress.networking.k8s.io/simple-fanout-example created

Get the information of the simple-fanout-example Ingress by using the kubectl describe command.

user@control-plane-node ~> kubectl describe ingress simple-fanout-example

Name:             simple-fanout-example


Namespace:        default

Address:          192.23.133.6


Default backend:  default-http-backend:80


Rules:
  Host        Path  Backends

  ----        ----  --------
  test.com

              /info   service1:1241 (10.244.1.16:9876)
              /hello  service2:1242 (10.244.12.26:80)


Annotations:  FortiWeb-admin: admin
              "fortiweb-ip" : "172.23.133.148",
              "fortiweb-login" : "fwb-login1",
              "fortiweb-ctrl-log" : "disable",
              "virtual-server-ip" : "192.23.133.6",
              "virtual-server-addr-type" : "ipv4",
              "virtual-server-interface" : "port2",
              "server-policy-web-protection-profile" : "Inline Standard Protection",
              "server-policy-https-service" : "HTTPS",
              "server-policy-http-service" : "HTTP",
              "server-policy-syn-cookie" : "enable",
              "server-policy-http-to-https" : "disable"

FortiView

Check the deployed Ingress with FortiView.

Try to access https://test.com/info.

Try to access https://test.com/hello.

Update or delete the Ingress

To update an Ingress resource:

You can edit the ingress.yaml. and use kubectl apply or use the kubectl edit command.

kubectl edit ingress simple-fanout-example

To delete the Ingress resource:

kubectl delete ingress/simple-fanout-example

Add, update or delete Service and Node

Service

FortiWeb Ingress Controller only monitors port sections and annotations defined in services used in the deployed Ingress resource. For example, let the service2 also handle traffic with the TCP destination port 8080 to the nginx pod. Use the kubectl edit command to see the original service2 spec.

kubectl edit service service2

#original definition of service2
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2021-10-21T08:50:31Z"
  labels:
    run: nginx-demo
  name: service2
  namespace: default
  resourceVersion: "26766217"
  selfLink: /api/v1/namespaces/default/services/service2
  uid: 69aa596e-1f23-4696-b770-6202654058a5
spec:
  clusterIP: 10.109.117.79
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 32075
    port: 1242
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx-demo
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Now, add another port and give each port a name. In the example below, take note of the code in bold text.

# Modified service2
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2021-10-21T08:50:31Z"
  labels:
    run: nginx-demo
  name: service2
  namespace: default
  resourceVersion: "26766217"
  selfLink: /api/v1/namespaces/default/services/service2
  uid: 69aa596e-1f23-4696-b770-6202654058a5
spec:
  clusterIP: 10.109.117.79
  externalTrafficPolicy: Cluster
  ports:
  - name: http-80
    nodePort: 32075
    port: 1242
    protocol: TCP
    targetPort: 80
  - name: http-8080
    port: 1243
    protocol: TCP
    targetPort: 8080
  selector:
    run: nginx-demo
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Check the service with the kubectl get command. You can see service2 has registered with the second port 1243 and get a NodePort 31879 allocated from Kubernetes.

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE

service1               NodePort    10.111.143.250   <none>        1241:31320/TCP                  4d21h

service2               NodePort    10.109.117.79    <none>        1242:32075/TCP,1243:31879/TCP   4d21h

And check the FortiWeb real server pool default_service2. You can see the pool members with port 31879 are added.

Note: If you delete the service used in the deployed Ingress resources, Kubernetes would not give you any warning, and FortiWeb Ingress Controller would not handle any delete events on the service.

Node

If you add or delete a worker node, FortiWeb Ingress Controller will check the deployed Ingress resources and handle the add/delete event. For updating a node, FortiWeb Ingress Controller only monitors the node’s IP.

Previous
Next

Deployment

Deploy the Pods and expose the Services

Service1:
kubectl apply -f https://raw.githubusercontent.com/fortinet/fortiweb-ingress/main/service_examples/service1.yaml
Service2:
kubectl apply -f https://raw.githubusercontent.com/fortinet/fortiweb-ingress/main/service_examples/service2.yaml

Check the service1 and service2 you have deployed.

kubectl get service

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service1               NodePort    10.111.143.250   <none>        1241:31320/TCP   10m

service2               NodePort    10.109.117.79    <none>        1242:32075/TCP   2m59s

Deploy the Ingress

Define the Simple-fanout Ingress resource.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: simple-fanout-example
  annotations: {
    "fortiweb-ip" : "172.23.133.148",
    "fortiweb-login" : "fwb-login1",
    "fortiweb-ctrl-log" : "disable",
    "virtual-server-ip" : "192.23.133.6",
    "virtual-server-addr-type" : "ipv4",
    "virtual-server-interface" : "port2",
    "server-policy-web-protection-profile" : "Inline Standard Protection",
    "server-policy-https-service" : "HTTPS",
    "server-policy-http-service" : "HTTP",
    "server-policy-syn-cookie" : "enable",
    "server-policy-http-to-https" : "disable"
  }
spec:
  ingressClassName: fwb-ingress-controller
  rules:
  - host: test.com
    http:
      paths:
      - path: /info
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 1241
      - path: /hello
        pathType: Prefix
        backend:
          service:
            name: service2
            port:
              number: 1242

Deploy it with kubectl command.

kubectl apply -f simple-fanout.yaml

ingress.networking.k8s.io/simple-fanout-example created

Get the information of the simple-fanout-example Ingress by using the kubectl describe command.

user@control-plane-node ~> kubectl describe ingress simple-fanout-example

Name:             simple-fanout-example


Namespace:        default

Address:          192.23.133.6


Default backend:  default-http-backend:80


Rules:
  Host        Path  Backends

  ----        ----  --------
  test.com

              /info   service1:1241 (10.244.1.16:9876)
              /hello  service2:1242 (10.244.12.26:80)


Annotations:  FortiWeb-admin: admin
              "fortiweb-ip" : "172.23.133.148",
              "fortiweb-login" : "fwb-login1",
              "fortiweb-ctrl-log" : "disable",
              "virtual-server-ip" : "192.23.133.6",
              "virtual-server-addr-type" : "ipv4",
              "virtual-server-interface" : "port2",
              "server-policy-web-protection-profile" : "Inline Standard Protection",
              "server-policy-https-service" : "HTTPS",
              "server-policy-http-service" : "HTTP",
              "server-policy-syn-cookie" : "enable",
              "server-policy-http-to-https" : "disable"

FortiView

Check the deployed Ingress with FortiView.

Try to access https://test.com/info.

Try to access https://test.com/hello.

Update or delete the Ingress

To update an Ingress resource:

You can edit the ingress.yaml. and use kubectl apply or use the kubectl edit command.

kubectl edit ingress simple-fanout-example

To delete the Ingress resource:

kubectl delete ingress/simple-fanout-example

Add, update or delete Service and Node

Service

FortiWeb Ingress Controller only monitors port sections and annotations defined in services used in the deployed Ingress resource. For example, let the service2 also handle traffic with the TCP destination port 8080 to the nginx pod. Use the kubectl edit command to see the original service2 spec.

kubectl edit service service2

#original definition of service2
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2021-10-21T08:50:31Z"
  labels:
    run: nginx-demo
  name: service2
  namespace: default
  resourceVersion: "26766217"
  selfLink: /api/v1/namespaces/default/services/service2
  uid: 69aa596e-1f23-4696-b770-6202654058a5
spec:
  clusterIP: 10.109.117.79
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 32075
    port: 1242
    protocol: TCP
    targetPort: 80
  selector:
    run: nginx-demo
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Now, add another port and give each port a name. In the example below, take note of the code in bold text.

# Modified service2
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2021-10-21T08:50:31Z"
  labels:
    run: nginx-demo
  name: service2
  namespace: default
  resourceVersion: "26766217"
  selfLink: /api/v1/namespaces/default/services/service2
  uid: 69aa596e-1f23-4696-b770-6202654058a5
spec:
  clusterIP: 10.109.117.79
  externalTrafficPolicy: Cluster
  ports:
  - name: http-80
    nodePort: 32075
    port: 1242
    protocol: TCP
    targetPort: 80
  - name: http-8080
    port: 1243
    protocol: TCP
    targetPort: 8080
  selector:
    run: nginx-demo
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Check the service with the kubectl get command. You can see service2 has registered with the second port 1243 and get a NodePort 31879 allocated from Kubernetes.

NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE

service1               NodePort    10.111.143.250   <none>        1241:31320/TCP                  4d21h

service2               NodePort    10.109.117.79    <none>        1242:32075/TCP,1243:31879/TCP   4d21h

And check the FortiWeb real server pool default_service2. You can see the pool members with port 31879 are added.

Note: If you delete the service used in the deployed Ingress resources, Kubernetes would not give you any warning, and FortiWeb Ingress Controller would not handle any delete events on the service.

Node

If you add or delete a worker node, FortiWeb Ingress Controller will check the deployed Ingress resources and handle the add/delete event. For updating a node, FortiWeb Ingress Controller only monitors the node’s IP.

Previous
Next