Charmed Temporal K8s Tutorial - Deploy Nginx Ingress Integrator

Deploy Nginx Ingress Integrator

This is part of the Charmed Temporal Tutorial. Please refer to this page for more information and the overview of the content.

The Charmed Temporal K8s operator exposes its service ports using the Nginx Ingress Integrator operator, which requires us to deploy an Nginx Ingress Controller as described below.

Enable TLS

To enable TLS connections, you must have a TLS certificate stored as a k8s secret (default name is “temporal-tls”). The secret name can be configured using the tls-secret-name config property in the charm. A self-signed certificate for development purposes can be created as follows:

# Generate private key
openssl genrsa -out server.key 2048

# Generate a certificate signing request
openssl req -new -key server.key -out server.csr -subj "/CN=temporal-k8s"

# Create self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile <(printf "subjectAltName=DNS:temporal-k8s")

# Create a k8s secret
kubectl -n temporal-model create secret tls temporal-tls --cert=server.crt --key=server.key

Deploy

To deploy Charmed Temporal Web UI, you need to run the following commands, which will enable ingress in your microk8s, fetch the charm from Charmhub and deploy it to your model:

# Deploy ingress controller.
sudo microk8s enable ingress:default-ssl-certificate=temporal-model/temporal-tls

juju deploy nginx-ingress-integrator --channel edge --revision 71 --trust

Wait until the application is ready - when it is ready, juju status will show:

Model           Controller           Cloud/Region        Version  SLA          Timestamp
temporal-model  temporal-controller  microk8s/localhost  3.1.5    unsupported  16:46:18+03:00

App                       Version  Status  Scale  Charm                     Channel    Rev  Address         Exposed  Message
nginx-ingress-integrator  25.3.0   active      1  nginx-ingress-integrator  edge        71  10.152.183.203  no
postgresql-k8s            14.7     active      1  postgresql-k8s            14/stable   73  10.152.183.250  no       Primary
temporal-admin-k8s                 active      1  temporal-admin-k8s        stable       4  10.152.183.21   no
temporal-k8s                       active      1  temporal-k8s              stable       9  10.152.183.191  no
temporal-ui-k8s                    active      1  temporal-ui-k8s           stable       8  10.152.183.135  no

Unit                         Workload  Agent  Address      Ports   Message
nginx-ingress-integrator/0*  active    idle   10.1.232.73
postgresql-k8s/0*            active    idle   10.1.232.66          Primary
temporal-admin-k8s/0*        active    idle   10.1.232.71
temporal-k8s/0*              active    idle   10.1.232.64
temporal-ui-k8s/0*           active    idle   10.1.232.72

Relate Temporal Server and Web UI to Nginx Ingress Integrator

To relate the two charms together, run the following command:

juju relate temporal-k8s nginx-ingress-integrator
juju relate temporal-ui-k8s nginx-ingress-integrator

Wait until the two charms have been related and settled - when ready, juju status will show:

Model           Controller           Cloud/Region        Version  SLA          Timestamp
temporal-model  temporal-controller  microk8s/localhost  3.1.5    unsupported  16:56:43+03:00

App                       Version  Status  Scale  Charm                     Channel    Rev  Address         Exposed  Message
nginx-ingress-integrator  25.3.0   active      1  nginx-ingress-integrator  edge        71  10.152.183.203  no       Ingress IP(s): 127.0.0.1, 127.0.0.1, Service IP(s): 10.152.183.172, 10.152.183.235
postgresql-k8s            14.7     active      1  postgresql-k8s            14/stable   73  10.152.183.250  no       Primary
temporal-admin-k8s                 active      1  temporal-admin-k8s        stable       4  10.152.183.21   no
temporal-k8s                       active      1  temporal-k8s              stable       9  10.152.183.191  no
temporal-ui-k8s                    active      1  temporal-ui-k8s           stable       8  10.152.183.135  no

Unit                         Workload  Agent  Address      Ports   Message
nginx-ingress-integrator/0*  active    idle   10.1.232.73          Ingress IP(s): 127.0.0.1, 127.0.0.1, Service IP(s): 10.152.183.172, 10.152.183.235
postgresql-k8s/0*            active    idle   10.1.232.66          Primary
temporal-admin-k8s/0*        active    idle   10.1.232.71
temporal-k8s/0*              active    idle   10.1.232.64
temporal-ui-k8s/0*           active    idle   10.1.232.72

Relation provider                     Requirer                       Interface          Type     Message
nginx-ingress-integrator:nginx-route  temporal-k8s:nginx-route       nginx-route        regular
nginx-ingress-integrator:nginx-route  temporal-ui-k8s:nginx-route    nginx-route        regular
postgresql-k8s:database               temporal-k8s:db                postgresql_client  regular
postgresql-k8s:database               temporal-k8s:visibility        postgresql_client  regular
postgresql-k8s:database-peers         postgresql-k8s:database-peers  postgresql_peers   peer
postgresql-k8s:restart                postgresql-k8s:restart         rolling_op         peer
temporal-admin-k8s:admin              temporal-k8s:admin             temporal           regular
temporal-k8s:peer                     temporal-k8s:peer              temporal           peer
temporal-ui-k8s:peer                  temporal-ui-k8s:peer           temporal           peer
temporal-ui-k8s:ui                    temporal-k8s:ui                temporal           regular

Verify Ingress Resource

To verify the ingress resources were correctly created, you can run the following command:

kubectl describe ingress -n temporal-model

The output should look similar to the following (with the exception of the service IP addresses):

Name:             temporal-k8s-ingress
Labels:           app.juju.is/created-by=nginx-ingress-integrator
                  nginx-ingress-integrator.charm.juju.is/managed-by=nginx-ingress-integrator
Namespace:        temporal-model
Address:          127.0.0.1
Ingress Class:    public
Default backend:  <default>
TLS:
  temporal-tls terminates temporal-k8s
Rules:
  Host          Path  Backends
  ----          ----  --------
  temporal-k8s
                /   temporal-k8s-service:7233 (10.1.232.64:7233)
Annotations:    nginx.ingress.kubernetes.io/backend-protocol: GRPC
                nginx.ingress.kubernetes.io/proxy-body-size: 20m
                nginx.ingress.kubernetes.io/proxy-read-timeout: 60
                nginx.ingress.kubernetes.io/rewrite-target: /
Events:         <none>


Name:             temporal-ui-k8s-ingress
Labels:           app.juju.is/created-by=nginx-ingress-integrator
                  nginx-ingress-integrator.charm.juju.is/managed-by=nginx-ingress-integrator
Namespace:        temporal-model
Address:          127.0.0.1
Ingress Class:    public
Default backend:  <default>
TLS:
  temporal-tls terminates temporal-ui-k8s
Rules:
  Host             Path  Backends
  ----             ----  --------
  temporal-ui-k8s
                   /   temporal-ui-k8s-service:8080 (10.1.232.72:8080)
Annotations:       nginx.ingress.kubernetes.io/backend-protocol: HTTP
                   nginx.ingress.kubernetes.io/proxy-body-size: 20m
                   nginx.ingress.kubernetes.io/proxy-read-timeout: 60
                   nginx.ingress.kubernetes.io/rewrite-target: /
Events:            <none>

Connect Ingress

Once deployed and related, find the IP of the ingress controller by running the following command:

kubectl get pods -n ingress -o wide

You should see something similar to the following output:

NAME                                      READY   STATUS    RESTARTS          AGE    IP           NODE      NOMINATED NODE   READINESS GATES
nginx-ingress-microk8s-controller-mfmtx   1/1     Running   512 (3h15m ago)   145d   10.1.232.8   ubuntu   <none>           <none>

Take note of the ingress controller IP address and add the IP-to-hostname mapping in your /etc/hosts file as follows:

sudo nano /etc/hosts

# Add the following entries
10.1.232.8     temporal-k8s
10.1.232.8     temporal-ui-k8s

By default, the hostname will be set to the respective application names temporal-k8s and temporal-ui-k8s. You can then connect a Temporal client through this hostname i.e. Client.connect("temporal-k8s").

See next: Deploy Temporal Worker