Ingress is the preferred load balancer and default setting for external communication
between the IBM Spectrum® Protect
Plus server and Container Backup Support on Kubernetes. To use Ingress, you must
install an Ingress controller of your choice, configure it for SSL passthrough, and define the
Ingress resource for Container Backup Support. You must
follow this procedure to use an Ingress controller.
Before you begin
Ingress is
the default method for communication between the IBM Spectrum Protect
Plus server and Container Backup Support. NodePort may also be used but is not the
default method for communication. If you choose to use NodePort, you do not need to install and
configure an Ingress controller, nor do you need to define an Ingress resource.
If you choose to use NodePort, you must disable Ingress by updating the
use_nodeport
variable to
true in the
baas-values-cr.yaml file:
use_nodeport: true
You can skip
this procedure entirely if you choose to use NodePort.
Procedure
To configure an Ingress controller for external connections between the IBM Spectrum Protect
Plus server and the Container Backup Support agent, complete the following
steps:
-
Before or after the installation of Container Backup Support, install an Ingress controller of your
choice.
-
Edit the Ingress deployment to allow SSL passthrough.
In the following
example, the Kubernetes NGINX Ingress controller is used. Depending on the Ingress controller that
you installed, the steps to enable SSL passthrough might be different. Consult the Ingress
controller documentation for
instructions.
kubectl edit deployment ingress-nginx-controller -n ingress_namespace
where
ingress_namespace is the namespace where the Ingress controller was
created.
Within the
spec.template.spec.containers.args field, add the
following value:
- --enable-ssl-passthrough
- Ensure that you assign external IP address for the LoadBalancer
service for your Ingress controller. For best results, assign external dotted IP addresses to all of
your cluster nodes. You can do the assignment by updating the IP addresses in the Ingress
deployment. In the following example, the Kubernetes NGINX Ingress controller is used.
- Issue the following command to edit the Ingress
deployment:
kubectl edit deployment ingress-nginx-controller -n ingress_namespace
where
ingress_namespace is the namespace where the Ingress controller was
created.
- In the spec field, specify external IP address of the
LoadBalancer service as follows:
externalIPs:
- x.x.x.y
- x.x.x.z
- x.x.x.n
- If Container Backup Support is not already
installed, install it.
- Define the Ingress resource as follows:
The following sample file is applicable to the Kubernetes NGINX Ingress controller.
Depending on the Ingress controller that you installed, the annotations might differ. Refer to the
Ingress controller documentation to obtain the correct annotations for your controller to match the
ones in the sample file.
#-----------------------------
# Ingress resource sample yaml
#-----------------------------
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
name: baas-spp-agent-ingress
namespace: baas
spec:
rules:
- host: FQDN_OF_HOST_FOR_INGRESS_ENDPOINT
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: baas-rest-spp-agent
port:
number: 443
where
FQDN_OF_HOST_FOR_INGRESS_ENDPOINT is the fully qualified
domain name of one of the external IP addresses that you assigned to your Ingress LoadBalancer
service in Step
3.
- Copy the sample YAML file and paste the contents into the
sppagent-ingress.yaml file, edit the file so that it is appropriate for your
controller, and apply the YAML:
kubectl create -f sppagent-ingress.yaml