Kubernetes Ingress

Running Aralez inside a Kubernetes cluster as a lightweight ingress proxy

This guide walks you through setting up Aralez inside a Kubernetes cluster as a lightweight service mesh. We’ll create the necessary ServiceAccount, apply the right RBAC roles, and deploy Aralez as a Kubernetes Deployment with an exposed Service.

Step 1: Create a Service Account

Aralez needs a ServiceAccount with permissions to watch Kubernetes resources like pods, endpoints, and services.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aralez-sa

Step 2: Define RBAC Permissions

Aralez requires read-only access to Kubernetes resources within a namespace.

Role (scoped to a single namespace):

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: aralez-role
rules:
  - apiGroups: [ "" ]
    resources: [ "pods", "endpoints", "services" ]
    verbs: [ "get", "list", "watch" ]

RoleBinding (attach Role to the ServiceAccount):

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: aralez-binding
subjects:
  - kind: ServiceAccount
    name: aralez-sa
roleRef:
  kind: Role
  name: aralez-role
  apiGroup: rbac.authorization.k8s.io

Step 3: Deploy Aralez

ConfigMaps for main.yaml and upstreams.yml

main.yml example:

threads: 12
daemon: false
upstream_keepalive_pool_size: 500
pid_file: /tmp/aralez.pid
error_log: /tmp/aralez_err.log
upgrade_sock: /tmp/aralez.sock
config_api_enabled: false
config_address: 127.0.0.1:3000
proxy_address_http: 0.0.0.0:80
proxy_address_tls: 0.0.0.0:443
proxy_certificates: /etc/aralez/certs
proxy_tls_grade: high
upstreams_conf: /etc/aralez/config/upstreams.yml
log_level: info
hc_method: HEAD
hc_interval: 2
master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774

upstreams.yml example:

provider: "kubernetes"
sticky_sessions: false
to_https: false
rate_limit: 100
headers:
  - "Access-Control-Allow-Origin:*"
  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
  - "Access-Control-Max-Age:86400"
  - "Strict-Transport-Security:max-age=31536000; includeSubDomains; preload"
kubernetes:
  services:
    - hostname: "vt-webapi-service"
      path: "/"
      upstream: "vt-webapi-service"
    - hostname: "vt-webapi-service"
      upstream: "vt-console-service"
      path: "/one"
      headers:
        - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
        - "X-Proxy-From:Aralez"
      rate_limit: 100
      to_https: false
    - hostname: "vt-webapi-service"
      upstream: "vt-rambulik-service"
      path: "/two"
    - hostname: "vt-websocket-service"
      upstream: "vt-websocket-service"
      path: "/"
  tokenpath: "/var/run/secrets/kubernetes.io/serviceaccount/token"

Apply ConfigMaps:

kubectl -n staging create configmap aralez-main-config --from-file=main.yaml=./main.yaml
kubectl -n staging create configmap aralez-upstreams-config --from-file=upstreams.yml=./upstreams.yaml

TLS Certificate Secret

apiVersion: v1
kind: Secret
metadata:
  name: aralez-tls
type: kubernetes.io/tls
data:
  tls.crt: <base64-cert>
  tls.key: <base64-key>

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aralez
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aralez
  template:
    metadata:
      labels:
        app: aralez
    spec:
      serviceAccountName: aralez-sa
      containers:
        - name: aralez
          image: sadoyan/aralez:latest
          ports:
            - containerPort: 80
            - containerPort: 443
          volumeMounts:
            - name: main-config
              mountPath: /etc/aralez/main.yaml
              subPath: main.yaml
              readOnly: true
            - name: upstreams-config
              mountPath: /etc/aralez/config/upstreams.yml
              subPath: upstreams.yml
              readOnly: true
            - name: tls-certs
              mountPath: /etc/aralez/certs
              readOnly: true
      volumes:
        - name: main-config
          configMap:
            name: aralez-main-config
        - name: upstreams-config
          configMap:
            name: aralez-upstreams-config
        - name: tls-certs
          secret:
            secretName: aralez-tls

Service

apiVersion: v1
kind: Service
metadata:
  name: aralez-service
spec:
  type: NodePort
  selector:
    app: aralez
  ports:
    - name: http
      port: 80
      targetPort: 80
    - name: https
      port: 443
      targetPort: 443

Step 4: Expose Aralez

ClusterIP (internal access only):

apiVersion: v1
kind: Service
metadata:
  name: aralez
  namespace: default
spec:
  selector:
    app: aralez
  ports:
    - port: 80
      targetPort: 80

NodePort or LoadBalancer (external access):

spec:
  type: NodePort   # Use LoadBalancer if running in a cloud environment

Aralez is now running inside your Kubernetes cluster with the right permissions and is accessible through a Kubernetes Service.