Use Ingress to expose MSR service to the Internet on AWS¶
When you deploy Ingress to expose your MSR service to the Internet you gain the advantage of being able to use the same application load balancer (ABL) to expose other services as well.
High level MSR Ingress architecture:
To create this deployment architecture, configure the ALB group name in the ingress rules.
Install MSR, maintaining the default Helm chart main entry point service type
ClusterIP.Create the ingress rule to expose the main entry point service.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/actions.ssl-redirect: "{\n\t\"Type\": \"redirect\",\n\t\"RedirectConfig\": {\n\t\t\"Protocol\": \"HTTPS\",\n\t\t\"Port\": \"443\",\n\t\t\"StatusCode\": \"HTTP_301\"\n\t}\n}\n" alb.ingress.kubernetes.io/backend-protocol: HTTPS alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:095790522336:certificate/6e764fc2-5f24-4f49-87bb-e2fa2f81ccec alb.ingress.kubernetes.io/group.name: <exposed-msr-url> alb.ingress.kubernetes.io/listen-ports: "[{\n\t\t\"HTTP\": 80\n\t},\n\t{\n\t\t\"HTTPS\": 443\n\t}\n]\n" alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-FS-1-2-Res-2020-10 alb.ingress.kubernetes.io/target-type: ip kubernetes.io/ingress.class: alb name: registry-ingress namespace: msr spec: rules: - host: <exposed-msr-url> http: paths: - backend: service: name: ssl-redirect port: name: use-annotation - backend: service: name: msr port: number: 443
Note
If there is not yet an ALB with the group name you indicated in the
alb.ingress.kubernetes.io/group.namemetadata annotation, the ingress controller will create a new ALB with that group name with which to expose MSR. If, though, an ALB already exists with the provided group name, required listeners are created in that ALB to route the traffic to the NGINX pods.Create a CNAME record in the Amazon Route 53 DNS service to direct the traffic from your exposed MSR URL to the ALB URL.