I installed the nginx-ingress controller a while back and that setup is covered in my previous post (Using the Nginx Ingress Controller with Kubernetes). Now let’s use the existing deployment to add some ingress resources. I found a couple of sites that got me started:

Exposing Prometheus

I ended using the following ingress configuation:

> cat ingress.yaml 
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: prometheus
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: "/$2"
spec:
  tls:
  - hosts:
    - "ub"
    secretName: tls-secret
  rules:
  - host: ub
    http:
      paths:
      - path: "/prom(/|$)(.*)"
        backend:
          serviceName: prometheus
          servicePort: 9090

Then I had to modify the prometheus deployment to accept traffic on the new path (/prom). This was covered in the Securing Prometheus API and UI Endpoints Using Basic Auth documentation:

> grep web deploy.yaml 
            - "--web.enable-lifecycle"
            - "--web.route-prefix=/"
            - "--web.external-url=http://ub/prom"

Then applying (kubectl apply) those settings, allowed me to visit the host and getting to the prometheus UI:

prom-with-nginx.png

If you want you can also enable http-auth through the nginx-ingress controller. The insturctions are covered at Basic Authentication and the steps are the following:

$ htpasswd -c auth admin
$ kubectl create secret generic basic-auth --from-file=auth

Then modify the config and point to the new secret:

> cat ingress.yaml 
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: prometheus
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: "/$2"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Prometheus'
spec:
  tls:
  - hosts:
    - "ub"
    secretName: tls-secret
  rules:
  - host: ub
    http:
      paths:
      - path: "/prom(/|$)(.*)"
        backend:
          serviceName: prometheus
          servicePort: 9090

Now if you try to visit the page it will give you a warning:

> curl -kI https://ub/prom/
HTTP/2 401 
server: nginx/1.17.7
date: Sun, 26 Jan 2020 22:12:14 GMT
content-type: text/html
content-length: 179
www-authenticate: Basic realm="Authentication Required - Prometheus"
strict-transport-security: max-age=15724800; includeSubDomains

Simple and gets the job done.

Exposing Alertmanager

Very similar approach with Alertmanager as with prometheus (no changes to ingress other than the path). I just had to modify the deployment to make sure the application is serving behind a different path:

 > grep web deploy.yaml 
            - --web.external-url=http://localhost:9093/alerts
            - --web.route-prefix=/

Not too shabby.