Ingress
If you have an Ingress Controller that supports Passthrough TLS, you can access a LittleHorse Cluster using the spec.server.listeners[].infrastructure.ingress field.
Many Ingress controllers, such as NGINX, do not support both TLS Passthrough and TLS Termination on the same port. Most users of Ingress don't use TLS Passthrough. This unfortunately means that if you wish to use Ingress to allow external traffic into your LittleHorse Clusters, you will likely need to deploy a separate Ingress Controller.
You will need:
- An Ingress Controller with TLS Passthrough enabled, and the name of the relevant
IngressClass. - A listener with TLS configured as per our docs.
Creating Ingress Resources
An example LHCluster using Ingress is shown below.
apiVersion: littlehorse.io/v1
kind: LHCluster
metadata:
name: basic-ingress
namespace: littlehorse
spec:
server:
listeners:
- name: external
infrastructure:
ingress:
ingressClassName: my-passthrough
ingressAnnotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
advertisedListeners:
serverHostSuffix: ".test.littlehorse.cloud"
port: 2443
tls:
# specified as per our docs...
# ...
# ...
Note that the ingressClassName should match the name of the IngressClass reconciled by your Passthrough TLS controller.
This will result in the Operator creating:
- An
Ingressthat is configured forbootstrap.test.littlehorse.cloudwhich round-robins across all LittleHorse Kernel instances. - An
Ingressresource for each LittleHorse Kernel instance atlh-X.test.littlehorse.cloud(whereXis the LittleHorse Kernel Instance number).
For NGINX, it is required to set the nginx.ingress.kubernetes.io/backend-protocol and nginx.ingress.kubernetes.io/ssl-passthrough annotations as we did in our example. For other Ingress Controllers, please consult their documentation.