NGINX+ KIC Lab Guide

The detail lab documentation for the workshop can be found here:
http://udf.nginx-experience.com/

Note that you may need to change your YAML files accordingly when required as shown in this lab
guide.
Contents
Demo Environment: .................................................................................................................................... 3
Getting Around the Lab: .............................................................................................................................. 4
Create kubectl autocomplete: ..................................................................................................................... 5
Lab 3.1: Deploy Arcadia Application in AWS EKS (K8s): ............................................................................... 6
3.1.1 Deploy the application (Arcadia) in K8s .......................................................................................... 6
3.1.2 Verify the deployed pods ................................................................................................................ 7
3.1.3 Verify the deployed services ........................................................................................................... 7
Lab 3.2: NGINX K8s Ingress Controller: ........................................................................................................ 8
3.2.1 NGINX+ K8s Ingress Installation ...................................................................................................... 9
3.2.2 Review each installation manifest file ............................................................................................ 9
3.2.3 Expose the NGINX+ Ingress Dashboard Service ............................................................................ 10
3.2.4 Publish the application (Arcadia) to the Internet ......................................................................... 12
3.2.5 Enable HTTPS & Health Checks Monitoring .................................................................................. 15
3.2.6 Using VirtualServer and VirtualServerRoute CRDs ....................................................................... 20
Demo Environment:
This workshop will provide guidelines on how to deploy an application from scratch in Amazon
Elastic Kubernetes Service environment while protecting and enhancing the application availability
and usability with NGINX+ solutions.

For this workshop we are going to use the “Arcadia Crypto” application. The application is built with
6 different microservices that are deployed in the Kubernetes environment.

By the end of the workshop the “Arcadia Crypto” will be fully deployed and protected as described in
the below diagram.
Getting Around the Lab:
Once you login to the UDF environment, click on deployment

Navigate to Jumpbox, click on ACCESS via Web Shell

In the Web Shell, navigate to /home/ubuntu/startup directory

cd /home/ubuntu/startup

Verify the terraform deployment status. The progress may take 15 – 20 mins to complete.

tail -f startup.log

Press Ctrl-c to return to shell prompt.

Ensure the worker node is up and running, switch from root to ubuntu
# su ubuntu
$ kubectl get nodes

Ensure you can view the k8s worker node

Navigate to /home/ubuntu/lab for the lab files:

$ cd /home/ubuntu/lab

Create kubectl autocomplete:

source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc

alias k=kubectl
complete -F __start_kubectl k
Lab 3.1: Deploy Arcadia Application in AWS EKS (K8s):
As stated before, these are the 6 microservices which we will deploy.
• Frontend - serves the non-dynamic content for like html, js, css and images
• Login - in in charge of dealing with anything related to the login user functionality
• Users - all user data interaction is done through this microservice only
• Stocks - connects to external resources to get the latest crypto data and serves it to the
application clients
• Stocks Transaction - Deal with all related to buying or selling crypto currencies. It
interacts with other microservices like Users and Stocks
• Database - Database where all information is stored

3.1.1 Deploy the application (Arcadia) in K8s

Ensure that you’re in the /home/ubuntu/lab directory, deploy the Arcadia Crypto application
$ kubectl apply -f files/4ingress/1arcadia_delpoy.yaml
3.1.2 Verify the deployed pods
$ kubectl get pods

3.1.3 Verify the deployed services

$ kubectl get svc -o wide

As of now the services are not accessible, we shall deploy the NGINX+ Ingress in the following lab.
Lab 3.2: NGINX K8s Ingress Controller:
Previously we have deployed the application but did not expose the services.
We need to be able to route the requests to the relevant service.

The NGINX Ingress Controller for Kubernetes provides enterprise-grade delivery services for
Kubernetes applications, with benefits for users of both NGINX Open Source and NGINX Plus. With
the NGINX Ingress Controller for Kubernetes, you get basic load balancing, SSL/TLS termination,
support for URI rewrites, and upstream SSL/TLS encryption. NGINX Plus (NGINX+) users
additionally get session persistence for stateful applications and JSON Web Token (JWT)
authentication for APIs.
3.2.1 NGINX+ K8s Ingress Installation
We are going to use the NGINX installation manifest based the NGINX Ingress Controller installation
guide. To simplify and the pace of the lab we have already prepared an installation script.
& You’re encourage to view the installation ingress_install.sh shell script located at
%
$
#
"
💡
/home/ubuntu/lab/files/4ingress
Run the command below, to run the ingress installation shell script. <Ensure you’re still at the
/home/ubuntu/lab directory>
$ ./files/4ingress/ingress_install.sh

3.2.2 Review each installation manifest file

We are going to review each installation manifest file as shown in the above screenshot. Also refer to this
installation link: https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/
3.2.3 Expose the NGINX+ Ingress Dashboard Service
Copy all the below to the Web-shell to create a yaml file to expose NGINX+ Ingress Dashboard Service

cat << EOF > ingress-dashboard-svc.yaml

apiVersion: v1
kind: Service
metadata:
name: dashboard-nginx-ingress
namespace: nginx-ingress
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: nginx-ingress
EOF

$ kubectl apply -f ingress-dashboard-svc.yaml

Get the NGINX+ ingress service in nginx-ingress namespace

$ kubectl get svc --namespace=nginx-ingress

Note the EXTERNAL-IP of the “dashboard-nginx-ingress”: This is the hostname that we will be using to
view the NGINX+ Dashboard.

Copy all the below to the Web-shell to save the EXTERNAL-IPs as env variables for later use:

export dashboard_nginx_ingress=$(kubectl get svc dashboard-nginx-ingress --namespace=nginx-

ingress | tr -s " " | cut -d' ' -f4 | grep -v "EXTERNAL-IP")

export nginx_ingress=$(kubectl get svc nginx-ingress --namespace=nginx-ingress | tr -s " " | cut -d' '
-f4 | grep -v "EXTERNAL-IP")

Copy all the below to the Web-shell to check on these saved environment variables:

echo $dashboard_nginx_ingress
echo $nginx_ingress
Browse to the following location and verify you can see the NGINX+ dashboard:
http://<DASHBOARD-EXTERNAL-IP>/dashboard.html

Copy your own EXTERNAL-IP

For example
http://a9b429a96e8c34440adb23574bc2495b-b8e9c03d8d82707d.elb.eu-west-
1.amazonaws.com/dashboard.html

Note the EXTERNAL-IP of the “nginx-ingress”: This is the hostname that we will be using for
publishing the Arcadia web application.

Browse to the following location and verify that you receive a “404 status” code:
http://<INGRESS-EXTERNAL-IP>/

Copy your own EXTERNAL-IP

For example
http://a8b4bed9f37774d778dd0aeccdb23711-1472420083.eu-west-1.elb.amazonaws.com
3.2.4 Publish the application (Arcadia) to the Internet
Expose the application services and route the traffic based on the HTTP path, expose the Arcadia
app to the world
https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-andvirtualserverroute-
resources/

Copy all the below to the Web-shell to create a yaml file to create a NGINX+ Ingress VirtualServer.
Review this ingress which only uses VirtualServer CRD and observe those highlighted in yellow:

cat << EOF > ingress-vs-only.yaml

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: arcadia
spec:
host: $nginx_ingress
upstreams:
- name: arcadia-users
service: arcadia-users
port: 80
- name: arcadia-login
service: arcadia-login
port: 80
- name: arcadia-stocks
service: arcadia-stocks
port: 80
- name: arcadia-stock-transaction
service: arcadia-stock-transaction
port: 80
- name: arcadia-frontend
service: arcadia-frontend
port: 80
routes:
- path: /v1/user
action:
pass: arcadia-users
- path: /v1/login
action:
pass: arcadia-login
- path: /v1/stock
action:
pass: arcadia-stocks
- path: /v1/stockt
action:
pass: arcadia-stock-transaction
- path: /
action:
pass: arcadia-frontend
EOF

Apply the yaml file:

$ kubectl apply -f ingress-vs-only.yaml
Observe how the various HTTP paths (/v1/user, /v1/login, /v1/stock, /v1/stockt) are routed by Ingress to
the relevant K8s services.

At this stage the basic install is finished and all that’s left is to check the connectivity to the Arcadia
web application. Get the public hostname of the exposed nginx-ingress service.

Browse to the following location and verify that you can access the site: http://<INGRESSEXTERNAL-
IP>/

To get your External IP, you can run either of these 2 commands (one of them is a saved environment
variable):
• echo $nginx_ingress
• kubectl get svc --namespace=nginx-ingress

Login to the application using the following credentials:

Username: satoshi@bitcoin.com
Password: bitcoin
At the moment, we still have 2 missing key features:
1. We are serving only HTTP, not HTTPS. We want our site to be fully secured, therefore all
communications need to be encrypted.
2. We are not actively monitoring the health of the pods through the data path.

We will increase the number of pods (replicas) to 2 for each deployment:

$ kubectl apply -f files/4ingress/1arcadia_increase.yaml

💡 You’re encourage to view the yaml files/4ingress/1arcadia_increase.yaml file

&
%
$
#
"
located at /home/ubuntu/lab/files/4ingress
cat /home/ubuntu/lab/files/4ingress/1arcadia_increase.yaml

Look at the NGINX+ dashboard and click on “HTTP Upstreams”, you can see that right now all services
have two members but no health check
3.2.5 Enable HTTPS & Health Checks Monitoring
We will enable health check & https for the applications
Copy all the below to the Web-shell to create a yaml file to store TLS certificate and key as K8s secret.
cat << EOF > tls-secret.yaml
apiVersion: v1
data:
tls.crt:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZMRENDQkJTZ0F3SUJBZ0lTQTUrVmpoQmN3NUJKNWk0QXU2VGl0L3
h0TUEwR0NTcUdTSWIzRFFFQkN3VUEKTURJeEN6QUpCZ05WQkFZVEFsVlRNUll3RkFZRFZRUUtFdzFNWlhRbmN5QkZibU55
ZVhCME1Rc3dDUVlEVlFRRApFd0pTTXpBZUZ3MHlNVEF4TVRjeE1USXpNek5hRncweU1UQTBNVGN4TVRJek16TmFNQjR4SE
RBYUJnTlZCQU1NCkV5b3VZWEpqWVdScFlXTnllWEIwYnk1dVpYUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdB
d2dnRUsKQW9JQkFRRE1LQkNYWHdaL0xQbzNmM2pMR3IvamhNRXNTZmdrT3ErOGtOUEpxVzdPbGtCazRrZWtlaEtFVVVDQw
owUHdUazgrbnp0Skg3bzBEOUNaaEZuVW9pSGVnZkRzTURFNWFoVXh4blQ1czlmWHZvRlJqSnlYUUR0VlhvR1VQCk1ubzJl
VkdYYi81Qm1LeVNJMDVpQ3B5SCtNVC9YRHFhd3BhV2ZsTDJ5OXpZK1V2NGlkQVhsZFpDUnBVSEhOV1cKZjhPeUMvcFJiZn
dhYVYzRDJ6RjFaeHJ6Z2JIcWd3WXpkRHNnYXVkdk56N0pocytDaENxL1JQNWhMSGNkNzV5bQo1bmppTFZsVmcvYUZJS09I
T2wyZ1RFdnQ4WWdjTXdUSWgwNjRrcWpVS3g5UDBmQkpZSzNwV0ZoelhwaENHaWd1CjdTd3EyYnpGTkZabjY1SEdtSDBJY1
RLMVlNSm5BZ01CQUFHamdnSk9NSUlDU2pBT0JnTlZIUThCQWY4RUJBTUMKQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFV
SEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBdwpIUVlEVlIwT0JCWUVGSXhRMk9EMjhFWjVaVkNTRmNBTl
VLbEdqcTFVTUI4R0ExVWRJd1FZTUJhQUZCUXVzeGUzCldGYkxybEFKUU9ZZnI1MkxGTUxHTUZVR0NDc0dBUVVGQndFQkJF
a3dSekFoQmdnckJnRUZCUWN3QVlZVmFIUjAKY0RvdkwzSXpMbTh1YkdWdVkzSXViM0puTUNJR0NDc0dBUVVGQnpBQ2hoWm
9kSFJ3T2k4dmNqTXVhUzVzWlc1agpjaTV2Y21jdk1CNEdBMVVkRVFRWE1CV0NFeW91WVhKallXUnBZV055ZVhCMGJ5NXVa
WFF3VEFZRFZSMGdCRVV3ClF6QUlCZ1puZ1F3QkFnRXdOd1lMS3dZQkJBR0MzeE1CQVFFd0tEQW1CZ2dyQmdFRkJRY0NBUl
lhYUhSMGNEb3YKTDJOd2N5NXNaWFJ6Wlc1amNubHdkQzV2Y21jd2dnRUVCZ29yQmdFRUFkWjVBZ1FDQklIMUJJSHlBUEFB
ZHdCRQpsR1V1c083T3I4UkFCOWlvL2lqQTJ1YUN2dGpMTWJVLzB6T1d0YmFCcUFBQUFYY1FUTzdSQUFBRUF3QklNRVlDCk
lRQ3hMK0hhdnVOY1kzRU0yNllwN0JEeTA1TW8yTUxreHYrdE5nMHA0QmRVQlFJaEFOT1dIWmR1Z056UHl4MEkKOU5VWHVO
L09JaGlnS2RGMjhlMmM0TWV3dVRmVEFIVUE5bHlVTDlGM01DSVVWQmdJTUpSV2p1Tk5FeGt6djk4TQpMeUFMekU3eFpPTU
FBQUYzRUV6d3V3QUFCQU1BUmpCRUFpQWwvNEZaL1ZwR1NRV3pwdUc2Q0ljWUdHOG4wM1ZZCmRTQnFxUlFHbWUxdnVnSWdR
MXg3cnRqYXhrcDNRd3FweWhYRXJyWjhPN3lIdTF2di9pdFhWR1haZzBjd0RRWUoKS29aSWh2Y05BUUVMQlFBRGdnRUJBSn
h0Zmk1NmxxZ1RFUEJ6NE82R2xZclJYOVlnL3Y5cUMwWE1DazFSWlJWRApuRldQcTBQUFRWeWR3UTRsOVZQMWhlaTZhNUY0
R2xQOVFzaFk3TS9CRFA0SmgwR3pOYnBCY2h4Slc2MHBuUXEzCjI4WmovNzVhamVycTFxYnEvbXpIZHhGcGVzTkVON3NYbU
pzNGsrM1pOeWs3N1lXRVhsb1BDMk9STGM2MmhWWlAKdk1sYXZycmNmYWFGNTYvZkR3QzdRd2JZa3JHQzEycFZ4STMzNlFQ
SGJrRVE2SDNhWGUweE9Dem4rUnZxdXRMTwpqNjh2UVExWG5LdktLc0dCTVNGM29QaGYxZHZtbi9pZHBtK1RjdFJ3ZmUzTG
trL2JpZEJ2a2pJam5jb05HR1pTCllLSFVybmRzMWpDclRVTnI0RFgwTlY5bFNVOG5jUzdMMFBFOGxuUXYrWjg9Ci0tLS0t
RU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVaVENDQTAyZ0F3SUJBZ0lRUU
FGMUJJTVVwTWdoaklTcERCYk4zekFOQmdrcWhraUc5dzBCQVFzRkFEQS8KTVNRd0lnWURWUVFLRXh0RWFXZHBkR0ZzSUZO
cFoyNWhkSFZ5WlNCVWNuVnpkQ0JEYnk0eEZ6QVZCZ05WQkFNVApEa1JUVkNCU2IyOTBJRU5CSUZnek1CNFhEVEl3TVRBd0
56RTVNakUwTUZvWERUSXhNRGt5T1RFNU1qRTBNRm93Ck1qRUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9URFV4bGRD
ZHpJRVZ1WTNKNWNIUXhDekFKQmdOVkJBTVQKQWxJek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0
NBUUVBdXdJVktNejJvSlRURHhMcwpqVldTdy9pQzhabW1la0tJcDEwbXFyVXJ1Y1ZNc2ErT2EvbDF5S1BYRDBlVUZGVTFW
NHllcUtJNUdmV0NQRUtwClRtNzFPOE11MjQzQXNGenpXVGpuN2M5cDhGb0xHNzdBbENRbGgvbzNjYk1UNXh5czRadnYyK1
E3UlZKRmxxbkIKVTg0MHlGTHV0YTd0ajk1Z2NPS2xWS3UyYlE2WHBVQTBheXZUdkdiclpqUjgrbXVMajFjcG1mZ3dGMTI2
Y20vNwpnY1d0MG9aWVBSZkg1d203OFN2M2h0ekIybkZkMUVianpLMGx3WWk4WUdkMVpyUHhHUGVpWE9aVC96cUl0a2VsCi
94TVk2cGdKZHorZFUvblBBZVgxcG5BWEZLOWpwUCtaczVPZDNGT25CdjVJaFIyaGFhNGxkYnNUekZJRDllMVIKb1l2YkZR
SURBUUFCbzRJQmFEQ0NBV1F3RWdZRFZSMFRBUUgvQkFnd0JnRUIvd0lCQURBT0JnTlZIUThCQWY4RQpCQU1DQVlZd1N3WU
lLd1lCQlFVSEFRRUVQekE5TURzR0NDc0dBUVVGQnpBQ2hpOW9kSFJ3T2k4dllYQndjeTVwClpHVnVkSEoxYzNRdVkyOXRM
M0p2YjNSekwyUnpkSEp2YjNSallYZ3pMbkEzWXpBZkJnTlZIU01FR0RBV2dCVEUKcDdHa2V5eHgrdHZoUzVCMS84UVZZSV
dKRURCVUJnTlZIU0FFVFRCTE1BZ0dCbWVCREFFQ0FUQS9CZ3NyQmdFRQpBWUxmRXdFQkFUQXdNQzRHQ0NzR0FRVUZCd0lC
RmlKb2RIUndPaTh2WTNCekxuSnZiM1F0ZURFdWJHVjBjMlZ1ClkzSjVjSFF1YjNKbk1Ed0dBMVVkSHdRMU1ETXdNYUF2b0
MyR0syaDBkSEE2THk5amNtd3VhV1JsYm5SeWRYTjAKTG1OdmJTOUVVMVJTVDA5VVEwRllNME5TVEM1amNtd3dIUVlEVlIw
T0JCWUVGQlF1c3hlM1dGYkxybEFKUU9ZZgpyNTJMRk1MR01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRk
JRY0RBakFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQTJVemd5ZldFaURjeDI3c1Q0clA4aTJ0aUVteFl0MGwrUEFLM3FC
OG9ZZXZPNEM1ejcwa0gKZWpXRUh4MnRhUERZL2xhQkwyMS9XS1p1TlRZUUhIUEQ1YjF0WGdIWGJuTDdLcUM0MDFkazVWdk
NhZFRRc3ZkOApTOE1Yam9oeWM5ejkvRzI5NDhrTGptRTZGbGg5ZERZclZZQTl4Mk8raEVQR09hRU9hMWVlUHluQmdQYXl2
VWZMCnFqQnN0ekxoV1ZRTEdBa1hYbU5zKzVablBCeHpESk9MeGhGMkpJYmVRQWNINUgwdFpyVWxvNVpZeU9xQTdzOXAKTz
ViODVvM0FNL09KK0NrdEZCUXRmdkJoY0pWZDl3dmx3UHNrK3V5T3kySEk3bU54S0tnc0JUdDM3NXRlQTJUdwpVZEhraFZO
Y3NBS1gxSDdHTk5MT0VBRGtzZDg2d3VvWHZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key:
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0
VBQW9JQkFRRE1LQkNYWHdaL0xQbzMKZjNqTEdyL2poTUVzU2Zna09xKzhrTlBKcVc3T2xrQms0a2VrZWhLRVVVQ0MwUHdU
azgrbnp0Skg3bzBEOUNaaApGblVvaUhlZ2ZEc01ERTVhaFV4eG5UNXM5Zlh2b0ZSakp5WFFEdFZYb0dVUE1ubzJlVkdYYi
81Qm1LeVNJMDVpCkNweUgrTVQvWERxYXdwYVdmbEwyeTl6WStVdjRpZEFYbGRaQ1JwVUhITldXZjhPeUMvcFJiZndhYVYz
RDJ6RjEKWnhyemdiSHFnd1l6ZERzZ2F1ZHZOejdKaHMrQ2hDcS9SUDVoTEhjZDc1eW01bmppTFZsVmcvYUZJS09IT2wyZw
pURXZ0OFlnY013VEloMDY0a3FqVUt4OVAwZkJKWUszcFdGaHpYcGhDR2lndTdTd3EyYnpGTkZabjY1SEdtSDBJCmNUSzFZ
TUpuQWdNQkFBRUNnZ0VCQUxlRm1JeUtWb3ZDUWRmYjFoazJIYU1IOXFLNmg3OEJwbkpxK29lQXNPUXkKdXdZMVIxTzZqS1
MzYWJkdTUvc3RWM0V4QVdTNk03ZUhKVzBIUkNCQXRORG1mQ256Y2dmN1plR0lDZExuTThMSwpMTEhKUWp1SzZndFFXeWhU
SnZ1TENXYUp2VlQ0U3NFL3pibGljcDNrYWlwbm5TTDdvMlQ3ZjlidEljVkdMUjNvCklhNU1SWnZ3ZDRHZzBkakErNUIwNW
hXU3lDT3k0OHJFVzVKMUdCdC90eTBlaHhEOVVUVS9nb0ViL1Q1TXY1OVYKMWY2elNjS0lHbTh3emx5UnVZbWZwTkwrYjFk
dFVUb1NUdVA5R0loU3FWTFN1NUJpR2RTMk81MFhqOWVUQlFhRgpRZUtrN002dWdjanZtZHdzTW4vdHM1T2pvVjY0bk10Ql
NWemY1VWhJdm1rQ2dZRUE2aGQwZWFHK3J1TFhKTDQwCncreUVuUDZtTktYQkI3eVNTWkVtck1aOWxGVUFxOVdQUk9pZnQ5
Tm1vc1BGWi9QMDNBcWFhb3cxTGJmdjBMMFQKQ0hyNkJZSGhtYkNVTjJ6TExrRjZSVnI4NUhtQUxjdVhyajVEM3pZd3lZVm
VJOThzV0RZcGVsaWtnOUFnNUFtagpNc3ZBTnRYRElJQmlXTkFQQzJoWXhORisrTHNDZ1lFQTMwTm15ZDFzSi9UaFJvUFpo
K2dMNmZ0S2RySE1EWk1zCjRHZkI5K2FDTDNtR3NwU094MTlHOHJmbG9ZU2xNTE5HdnlZcGo1SGg1aHJnQXc4aGVBS3BFRm
xFVTdBcm54dVcKZmwwc2J3RkhwN05pZUZscGFPdzU2Mm9FN3c1M2pPRHBIQ1ZLSFphQ0lHZjVLSS9tQmRuVWZYZ1JzSzEx
djZMTwpJaExYMFNSM3FFVUNnWUFscUpaTlJ1NzFGWHNFNXpCMzRHSEpHOUpESC9NNHVtWlNQVzZhVnVnMjU2SFBBdkVrCl
pjUGovN2RBTWZ4YzU4c1padjlHYXIzWFdBTFZjc1ZRRlBDSjJFWWh3bDFsdVRQS2dqQVlYalhXejVFR1RQMWUKdzVlSm5o
OGxIRFp6ME9CQ1pKd3htWGNGMllLaERNZmJVUm5mK0cyR21nQzRSdWhVcm5teFYvNTBKd0tCZ0RmSAo2VWlLTDltVHp5ME
ZDRFp5ZlhlS04wS01qWVRldnBtYWt0WFRHN2VzejBDUzZWRmF0cWt4MVFlVDBvbm1ZTWlsClNrRDZtOHdYN3R3VXpiSGtT
RVV6YUdUWVlTMnhnTm8xZ1VLQ3VWcG04VFZNY1krclpaVXh1ZVhZWVhvclAxS3UKNW1PYUZRenZyVXE3R1NkaEV6djk0Yj
JZdVJDV0pwWlF5dWNRQzIxWkFvR0FKbnNGeHl4ZmFXajFEVHUxcEttNQpTSHQvL0cyRGZteHhKQ05aTFZMUHJYVDJhWmdr
NWQwMW5Zb3dydCtscCtiSXBLc09BS2MxamxtRVNwT2VaTEU1Cmk0UVV0eEs3SnV5dHNNZXdqUCtYdmc3VFNEN3d1bW95Vk
h6RS9VOTBYcldPOVJJd1VlZFpmOFg4bjVPNCtaRisKeWpqaWNlcGY1ci9DaFNhZG1jM1RwMFk9Ci0tLS0tRU5EIFBSSVZB
VEUgS0VZLS0tLS0K
kind: Secret
metadata:
name: arcadia-wildcard
type: kubernetes.io/tls
EOF

Apply the yaml file:

$ kubectl apply -f tls-secret.yaml
Make a copy of the existing ingress-vs.yaml file to add TLS and health checks.
$ cp ingress-vs-only.yaml ingress-vs-https-healthchecks.yaml
$ vi ingress-vs-https-healthchecks.yaml
Add those lines which are highlighted in yellow into your yaml file.
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: arcadia
spec:
host: $nginx_ingress
tls:
secret: arcadia-wildcard # Represents the server certificate
redirect:
enable: true # Always redirect to https if incoming request is http
upstreams:
- name: arcadia-users
service: arcadia-users
port: 80
healthCheck: # This is the most basic healthcheck config. For more info, follow this
link https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-
virtualserverroute-resources/#upstream-healthcheck
enable: true
path: /healthz
- name: arcadia-login
service: arcadia-login
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stocks
service: arcadia-stocks
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stock-transaction
service: arcadia-stock-transaction
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-frontend
service: arcadia-frontend
port: 80
healthCheck:
enable: true
path: /healthz
routes:
- path: /v1/user
action:
pass: arcadia-users
- path: /v1/login
action:
pass: arcadia-login
- path: /v1/stock
action:
pass: arcadia-stocks
 - path: /v1/stockt
action:
pass: arcadia-stock-transaction
- path: /
action:
pass: arcadia-frontend

Apply the yaml file:

$ kubectl apply -f ingress-vs-https-healthchecks.yaml

Alternatively, you can copy all the below to the Web-shell to create a new yaml file:
cat << EOF > ingress-vs-https-healthchecks.yaml
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: arcadia
spec:
host: $nginx_ingress
tls:
secret: arcadia-wildcard
redirect:
enable: true
upstreams:
- name: arcadia-users
service: arcadia-users
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-login
service: arcadia-login
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stocks
service: arcadia-stocks
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stock-transaction
service: arcadia-stock-transaction
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-frontend
service: arcadia-frontend
port: 80
healthCheck:
enable: true
path: /healthz
 routes:
- path: /v1/user
action:
pass: arcadia-users
- path: /v1/login
action:
pass: arcadia-login
- path: /v1/stock
action:
pass: arcadia-stocks
- path: /v1/stockt
action:
pass: arcadia-stock-transaction
- path: /
action:
pass: arcadia-frontend
EOF

Apply the yaml file:

$ kubectl apply -f ingress-vs-https-healthchecks.yaml

Browse to the Arcadia website with HTTP and you will be automatically redirected to HTTPS.
Verify the HTTP Upstreams in NGINX+ Dashboard and observe that NGINX+ has started health
monitoring for the pods.
3.2.6 Using VirtualServer and VirtualServerRoute CRDs
Finally, we will explore the use of VirtualServer and VirtualServerRoute CRDs which is the key feature
in NGINX+ Ingress Controller.
Review the existing ingress resource which only uses VirtualServer CRD and observe the differences
(highlighted in yellow):
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: arcadia
spec:
host: $nginx_ingress
tls:
secret: arcadia-wildcard
redirect:
enable: true
upstreams:
- name: arcadia-users
service: arcadia-users
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-login
service: arcadia-login
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stocks
service: arcadia-stocks
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stock-transaction
service: arcadia-stock-transaction
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-frontend
service: arcadia-frontend
port: 80
healthCheck:
enable: true
path: /healthz
routes:
- path: /v1/user
action:
pass: arcadia-users
- path: /v1/login
action:
pass: arcadia-login
- path: /v1/stock
action:
pass: arcadia-stocks
- path: /v1/stockt
action:
 pass: arcadia-stock-transaction
- path: /
action:
pass: arcadia-frontend

Copy all the below to the Web-shell to create a yaml file with VirtualServer and VirtualServerRoute
CRDs. Review the below ingress resource yaml file which uses both VirtualServer and
VirtualServerRoute CRDs and observe the differences (highlighted in yellow).

cat << EOF > ingress-vs-vsr.yaml

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: arcadia
spec:
host: $nginx_ingress
tls:
secret: arcadia-wildcard
redirect:
enable: true
upstreams:
- name: arcadia-frontend
service: arcadia-frontend
port: 80
healthCheck:
enable: true
path: /healthz
routes:
- path: /
action:
pass: arcadia-frontend
- path: /v1
route: default/arcadia-v1

---

apiVersion: k8s.nginx.org/v1
kind: VirtualServerRoute
metadata:
name: arcadia-v1
spec:
host: $nginx_ingress
upstreams:
- name: arcadia-users
service: arcadia-users
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-login
service: arcadia-login
port: 80
healthCheck:
enable: true
path: /healthz
- name: arcadia-stocks
service: arcadia-stocks
port: 80
healthCheck:
enable: true
 path: /healthz
- name: arcadia-stock-transaction
service: arcadia-stock-transaction
port: 80
healthCheck:
enable: true
path: /healthz
subroutes:
- path: /v1/user
action:
pass: arcadia-users
- path: /v1/login
action:
pass: arcadia-login
- path: /v1/stock
action:
pass: arcadia-stocks
- path: /v1/stockt
action:
pass: arcadia-stock-transaction
EOF

Apply the yaml file:

$ kubectl apply -f ingress-vs-vsr.yaml

Verify the deployed Custom Resource Definitions (CRDs)

$ kubectl get crd

Verify the deployed VirtualServer CRD

$ kubectl get virtualservers.k8s.nginx.org --all-namespaces

Verify the deployed VirtualServerRoute CRD

$ kubectl get virtualserverroutes.k8s.nginx.org --all-namespaces
Verify the HTTP Upstreams in NGINX+ Dashboard. Observe the difference between the previous
Dashboard view which only uses VirtualServer CRD.

End