Kubernetes Ingress Objects are used to manage HTTP(S) access from the internet to inside the Kubernetes cluster. Among other things, it lets us do the following:
We use the nginx-ingress provider to handle our Ingress needs.
We run on Google Cloud’s Kubernetes Engine. Even though GKE comes pre-installed with the Google Cloud Load Balancer Ingress provider, we decided to use nginx instead for the following reasons:
mybinder.org
nginx-ingress is installed using the nginx-ingress helm chart. This installs the following components:
nginx-ingress-controller
Ingress
nginx-ingress-default-backend
The specific ways these have been configured can be seen in the mybinder/values.yaml file in this repo, under nginx-ingress.
mybinder/values.yaml
nginx-ingress
Ingress objects are used to tell the ingress controllers which requests should be routed to which Service objects. Usually, the rules either check for a hostname (like mybinder.org or prometheus.mybinder.org) and/or a URL prefix (like /metrics or /docs). You can see all the ingress objects present with kubectl --namespace=prod get ingress.
Service
prometheus.mybinder.org
/metrics
/docs
kubectl --namespace=prod get ingress
The following ingress objects currently exist:
jupyterhub
hub.mybinder.org
binderhub
redirector
docs.mybinder.org
beta.mybinder.org
mybinder/templates/redirector
static
static.mybinder.org
static.mybinder.org/badge.svg
prometheus-server
prometheus
config/prod.yaml
grafana
grafana.mybinder.org
kube-lego-nginx
We use Let’s Encrypt for all our HTTPS certificates. Kube Lego is used to automatically provision and maintain HTTPS certificates for us.
Note
Kube-lego is deprecated, and we should move to cert-manager soon.
kube-lego is installed using the kube-lego.
kube-lego requires Ingress objects to have specific annotations and tls values, as documented here. We specify this for all our ingress objects, mostly by customizing various helm charts in mybinder/values.yaml.
kube-lego
annotations
tls
Let’s Encrypt uses accounts to keep track of HTTPS certificates & expiry dates. Currently, the account is registered to yuvipanda@gmail.com, mostly as a historical accident. Changing it requires some amount of care to make sure we do not suffer intermittent HTTPS failure, and should be done whenever we switch to cert-manager.
yuvipanda@gmail.com