Ingress
Der Ingress-Helper erstellt Kubernetes Ingress-Ressourcen für externen HTTP/HTTPS-Zugriff auf Services.
Übersicht
Ingress-Ressourcen ermöglichen:
- HTTP/HTTPS-Routing zu Services
- TLS-Terminierung
- Name-basiertes Virtual Hosting
- Path-basiertes Routing
Basis-Konfiguration
ingress:
- name: my-ingress
namespace: production
hosts:
- host: myapp.example.com
http:
paths:
- path: /
backend:
serviceName: my-service
servicePort: http
Mit TLS
ingress:
- name: my-ingress
namespace: production
tls:
- secretName: myapp-tls
hosts:
- myapp.example.com
hosts:
- host: myapp.example.com
http:
paths:
- path: /
backend:
serviceName: my-service
servicePort: http
Mit Annotations
NGINX Ingress Controller
ingress:
- name: my-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
tls:
- secretName: myapp-tls
hosts:
- myapp.example.com
hosts:
- host: myapp.example.com
http:
paths:
- path: /
backend:
serviceName: my-service
servicePort: http
cert-manager Integration
ingress:
- name: my-ingress
namespace: production
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
tls:
- secretName: myapp-tls # Wird automatisch erstellt
hosts:
- myapp.example.com
hosts:
- host: myapp.example.com
http:
paths:
- path: /
backend:
serviceName: my-service
servicePort: http
Path-basiertes Routing
ingress:
- name: api-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
hosts:
- host: api.example.com
http:
paths:
# /users/* → user-service
- path: /users(/|$)(.*)
backend:
serviceName: user-service
servicePort: http
# /orders/* → order-service
- path: /orders(/|$)(.*)
backend:
serviceName: order-service
servicePort: http
# /* → frontend
- path: /
backend:
serviceName: frontend
servicePort: http
Mehrere Hosts
ingress:
- name: multi-host-ingress
namespace: production
tls:
- secretName: example-com-tls
hosts:
- www.example.com
- example.com
- secretName: api-example-com-tls
hosts:
- api.example.com
hosts:
- host: www.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: http
- host: example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: http
- host: api.example.com
http:
paths:
- path: /
backend:
serviceName: api
servicePort: http
Mehrere Ingress-Ressourcen
ingress:
# Frontend
- name: frontend-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
tls:
- secretName: frontend-tls
hosts:
- www.example.com
hosts:
- host: www.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: http
# API
- name: api-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
tls:
- secretName: api-tls
hosts:
- api.example.com
hosts:
- host: api.example.com
http:
paths:
- path: /
backend:
serviceName: api
servicePort: http
# Admin
- name: admin-ingress
namespace: production
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8"
tls:
- secretName: admin-tls
hosts:
- admin.example.com
hosts:
- host: admin.example.com
http:
paths:
- path: /
backend:
serviceName: admin
servicePort: http
Vollständiges Beispiel
# Chart.yaml
apiVersion: v2
name: my-app
version: 1.0.0
dependencies:
- name: ohmyhelm
alias: app
repository: https://gitlab.com/ayedocloudsolutions/ohmyhelm
version: 1.13.0
# values.yaml
app:
# TLS Zertifikat (mit cert-manager)
ingress:
- name: myapp-ingress
namespace: production
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
tls:
- secretName: myapp-tls
hosts:
- myapp.example.com
hosts:
- host: myapp.example.com
http:
paths:
- path: /
backend:
serviceName: myapp
servicePort: http
# Deployment
chart:
enabled: true
fullnameOverride: "myapp"
container:
image: myapp:latest
ports:
- name: http
containerPort: 8080
service:
type: ClusterIP
ports:
- port: 80
targetPort: http
name: http
Häufige Annotations
NGINX Ingress Controller
| Annotation | Beschreibung |
nginx.ingress.kubernetes.io/rewrite-target | URL-Rewriting |
nginx.ingress.kubernetes.io/ssl-redirect | HTTP zu HTTPS Redirect |
nginx.ingress.kubernetes.io/proxy-body-size | Max Request Body Size |
nginx.ingress.kubernetes.io/proxy-read-timeout | Backend Read Timeout |
nginx.ingress.kubernetes.io/whitelist-source-range | IP-Whitelist |
nginx.ingress.kubernetes.io/auth-url | External Auth URL |
cert-manager
| Annotation | Beschreibung |
cert-manager.io/cluster-issuer | ClusterIssuer für TLS |
cert-manager.io/issuer | Namespace-Issuer für TLS |
Best Practices
- TLS aktivieren - Immer HTTPS für Production verwenden
- cert-manager nutzen - Automatische Zertifikatsverwaltung
- Rate Limiting - Schützen Sie Ihre APIs vor Überlastung
- Timeouts konfigurieren - Passende Timeouts für Ihre Anwendung
- Health Checks - Ingress Controller braucht funktionierende Readiness Probes
Troubleshooting
Ingress prüfen
# Ingress anzeigen
kubectl get ingress -n production
# Details anzeigen
kubectl describe ingress myapp-ingress -n production
# Ingress Controller Logs
kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx
Häufige Probleme
| Problem | Ursache | Lösung |
| 502 Bad Gateway | Service nicht erreichbar | Service und Endpoints prüfen |
| 503 Service Unavailable | Keine Ready Pods | Pod Readiness Probes prüfen |
| 404 Not Found | Path Matching falsch | Path und Rewrite-Target prüfen |
| Zertifikatsfehler | TLS Secret fehlt | Secret und cert-manager prüfen |
Siehe auch