I installed the nginx-ingress controller a while back and that setup is covered in my previous post (Using the Nginx Ingress Controller with Kubernetes). Now let’s use the existing deployment to add some ingress resources. I found a couple of sites that got me started:
- Exposing Prometheus and Alertmanager
- Howto expose prometheus, grafana and alertmanager with nginx ingress #11471
I ended using the following ingress configuation:
> cat ingress.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: prometheus annotations: nginx.ingress.kubernetes.io/rewrite-target: "/$2" spec: tls: - hosts: - "ub" secretName: tls-secret rules: - host: ub http: paths: - path: "/prom(/|$)(.*)" backend: serviceName: prometheus servicePort: 9090
Then I had to modify the prometheus deployment to accept traffic on the new path (/prom). This was covered in the Securing Prometheus API and UI Endpoints Using Basic Auth documentation:
> grep web deploy.yaml - "--web.enable-lifecycle" - "--web.route-prefix=/" - "--web.external-url=http://ub/prom"
Then applying (
kubectl apply) those settings, allowed me to visit the host and getting to the prometheus UI:
If you want you can also enable http-auth through the nginx-ingress controller. The insturctions are covered at Basic Authentication and the steps are the following:
$ htpasswd -c auth admin $ kubectl create secret generic basic-auth --from-file=auth
Then modify the config and point to the new secret:
> cat ingress.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: prometheus annotations: nginx.ingress.kubernetes.io/rewrite-target: "/$2" nginx.ingress.kubernetes.io/auth-type: basic nginx.ingress.kubernetes.io/auth-secret: basic-auth nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Prometheus' spec: tls: - hosts: - "ub" secretName: tls-secret rules: - host: ub http: paths: - path: "/prom(/|$)(.*)" backend: serviceName: prometheus servicePort: 9090
Now if you try to visit the page it will give you a warning:
> curl -kI https://ub/prom/ HTTP/2 401 server: nginx/1.17.7 date: Sun, 26 Jan 2020 22:12:14 GMT content-type: text/html content-length: 179 www-authenticate: Basic realm="Authentication Required - Prometheus" strict-transport-security: max-age=15724800; includeSubDomains
Simple and gets the job done.
Very similar approach with Alertmanager as with prometheus (no changes to ingress other than the path). I just had to modify the deployment to make sure the application is serving behind a different path:
> grep web deploy.yaml - --web.external-url=http://localhost:9093/alerts - --web.route-prefix=/
Not too shabby.