Nginx Ingress Controller
This tutorial explains how to setup the nginx ingress controller to expose the hoop gateway web & gRPC services with TLS.
Requirements
Configuring Let's Encrypt
Request a certificate for the nginx ingress controller and configure it in your DNS system.
- appdemo.hoop.dev (webapp/api)
API_HOST=appdemo.hoop.dev
mkdir -p $HOME/certbot
certbot -d $API_HOST --manual --preferred-challenges dns certonly \
--config-dir $HOME/certbot \
--work-dir $HOME/certbot \
--logs-dir $HOME/certbot
- appdemo-grpc.hoop.dev (grpc)
GRPC_HOST=appdemo-grpc.hoop.dev
certbot -d $GRPC_HOST --manual --preferred-challenges dns certonly \
--config-dir $HOME/certbot \
--work-dir $HOME/certbot \
--logs-dir $HOME/certbot
Creating TLS Secrets
- Create the namespace
kubectl create ns appdemo
- TLS Web / API
kubectl create secret tls tls-web -n appdemo \
--key $HOME/certbot/live/$API_HOST/privkey.pem \
--cert $HOME/certbot/live/$API_HOST/fullchain.pem
- TLS gRPC
# grpc
kubectl create secret tls tls-grpc -n appdemo \
--key $HOME/certbot/live/$GRPC_HOST/privkey.pem \
--cert $HOME/certbot/live/$GRPC_HOST/fullchain.pem
Nginx Controller Deployment
# https://kubernetes.github.io/ingress-nginx/deploy/
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace
Get the DNS of the load balancer provisioned by the ingress and configure a CNAME record in your DNS provider
LB_HOST=$(kubectl get svc -n ingress-nginx ingress-nginx-controller \
-o 'jsonpath={.status.loadBalancer.ingress[0].hostname}')
Grpc
- CNAME: $LB_HOST
- CNAME VALUE: $GRPC_HOST
Web
- CNAME: $LB_HOST
- CNAME VALUE: $API_HOST
Deploying Hoop
Deploy a postgres instance in your cluster
kubectl apply -n appdemo -f https://hoop.dev/misc/postgres-deployment.yaml
See this guide about how to create an oauth2 application on auth0. Export the variables below
export API_URL=https://$API_HOST
export IDP_ISSUER=
export IDP_CLIENT_ID=
export IDP_CLIENT_SECRET=
export IDP_AUDIENCE=
Deploy the gateway instance
# https://hoop.dev/docs/container-platforms/kubernetes
cat - > values.yaml <<EOF
config:
API_URL: $API_URL
IDP_ISSUER: $IDP_ISSUER
IDP_CLIENT_ID: $IDP_CLIENT_ID
IDP_CLIENT_SECRET: $IDP_CLIENT_SECRET
IDP_AUDIENCE: "$IDP_AUDIENCE"
LOG_LEVEL: debug
LOG_GRPC: 2
# hoop gateway configuration. Please refer to https://hoop.dev/docs/configuring/gateway
xtdbConfig:
PG_HOST: postgres.appdemo
PG_PORT: '5432'
PG_USER: root
PG_PASSWORD: 1a2b3c4d
PG_DB: hoopdb
ingressApi:
enabled: true
ingressClassName: nginx
host: $API_HOST
tlsSecret: tls-web
ingressGrpc:
enabled: true
ingressClassName: nginx
annotations:
nginx.ingress.kubernetes.io/backend-protocol: GRPC
host: $GRPC_HOST
tlsSecret: tls-grpc
EOF
VERSION=$(curl -s https://releases.hoop.dev/release/latest.txt)
helm upgrade --install hoop -n appdemo \
https://releases.hoop.dev/release/$VERSION/hoop-chart-$VERSION.tgz \
-f values.yaml
Signup
- Configure hoop client
# configure the hoop client
mkdir -p $HOME/.hoop && cat - > $HOME/.hoop/config.toml <<EOF
api_url = "$API_URL"
grpc_url = "$GRPC_HOST:443"
EOF
- Login / Signup
hoop login
Registering an Agent
Deploying the agent will fallback to web registration, follow the post deploy instructions to fetch the link to subscribe the agent.
helm upgrade --install hoopagent -n appdemo \
https://releases.hoop.dev/release/$VERSION/hoopagent-chart-$VERSION.tgz \
--set "config.gateway.grpc_url=$GRPC_HOST:443"
The logs should output the link to register the agent.
(...)
--------------------------------------------------------------------------
VISIT THE URL BELOW TO REGISTER THE AGENT
{API_URL}/agents/new/x-agt-...
--------------------------------------------------------------------------
(...)
Troubleshooting
In case the agent begins to restart too often, increase the verbosity of gRPC to diagnose the problem
helm upgrade --install hoopagent -n appdemo \
https://releases.hoop.dev/release/$VERSION/hoopagent-chart-$VERSION.tgz \
--set "config.gateway.grpc_url=$GRPC_HOST:443" \
--set "config.LOG_GRPC=2"
Static Token
To prevent the agent to unregistering on restarts, persist the token that was previous registered
helm upgrade --install hoopagent -n appdemo \
https://releases.hoop.dev/release/$VERSION/hoopagent-chart-$VERSION.tgz \
--set "config.gateway.grpc_url=$GRPC_HOST:443" \
--set "config.gateway.token=x-agt..."