Ingress#
Xsolla Backend requires an ingress controller in order to expose its REST API, administration console, databases and other tools to the outside world. Most Kubernetes distributions do not include an ingress controller out of the box and there are many options to choose from.
Supported Ingress Controllers#
ingress-nginx <https://github.com/kubernetes/ingress-nginx>_version v1.0.0 and higher
Configuration#
The Xsolla Backend engine takes advantage of several important web technologies including the following:
HTTP2
Proxy Protocol
Source IP Forwarding
TLS 1.2 or newer
WebSockets
It is therefore recommended to enable these features be present in the deployed ingress controller.
Depending on where you are hosting your kubernetes cluster the settings may be different per provider.
Installation for AWS#
When installing ingress-nginx on an AWS EC2 or EKS based Kubernetes cluster use the following installation commands:
1helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
2helm repo update
3helm install nginx ingress-nginx/ingress-nginx \
4 --namespace nginx \
5 --create-namespace \
6 --set rbac.create=true \
7 --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-cross-zone-load-balancing-enabled"="true" \
8 --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-backend-protocol"="tcp"\
9 --set controller.service.annotations."service\.\beta\.kubernetes\.io/aws-load-balancer-connection-idle-timeout"="60" \
10 --set controller.service.annotations."service\.beta\.kubernetes\.io/aws-load-balancer-type"="nlb" \
11 --set controller.replicaCount=3 \
12 --set-string controller.allowSnippetAnnotations=true,controller.config.use-forward-headers=true,controller.config.compute-full-forward-for=true,controller.config.ssl-protocols="TLSv1.2 TLSv1.3",controller.config.ssl-ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384"
Installation for Proxy Protocol#
The following installation commands are for providers that support proxy protocol, such as bare metal providers and some public clouds:
1helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
2helm repo update
3helm install nginx ingress-nginx/ingress-nginx \
4 --namespace nginx \
5 --create-namespace \
6 --set rbac.create=true \
7 --set controller.service.externalTrafficPolicy=Local \
8 --set controller.service.annotations."service\.beta\.kubernetes\.io/do-loadbalancer-enable-proxy-protocol=true" \
9 --set controller.replicaCount=3 \
10 --set-string controller.allowSnippetAnnotations=true,controller.config.use-proxy-protocol=true,controller.config.use-forward-headers=true,controller.config.compute-full-forward-for=true,controller.config.ssl-protocols="TLSv1.2 TLSv1.3",controller.config.ssl-ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384"
Installation for Other#
When installing the ingress-nginx controller on other providers with whom proxy protocol is not available, use the following commands:
1helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
2helm repo update
3helm install nginx ingress-nginx/ingress-nginx \
4 --namespace nginx \
5 --create-namespace \
6 --set rbac.create=true \
7 --set controller.service.externalTrafficPolicy=Local \
8 --set controller.replicaCount=3 \
9 --set-string controller.allowSnippetAnnotations=true,controller.config.use-forward-headers=true,controller.config.compute-full-forward-for=true,controller.config.ssl-protocols="TLSv1.2 TLSv1.3",controller.config.ssl-ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384"