User Guide
The guide contains information on how to use the ngrok Kubernetes Operator. This is the place to start if you have the operator installed and want to use it to add ingress, gateways, routes, and other ngrok features to your clusters' apps and services.
Start by reading the ingress-to-edge-relationship documentation to understand how ingress, gateway, and route objects are converted into ngrok edges.
For see or contribute a specific example, file a PR in the examples section of our repo see.
TLS and HTTPS
For http based traffic, the ngrok Kubernetes Operator will and can only provide HTTPS secured traffic. This is because the controller is responsible for creating the ngrok tunnel and edge, and ngrok only supports HTTPS for http traffic. By default if you use a standard ngrok subdomain, all traffic will be over https. If you are using a custom domain, please see the custom domain documentation for more details.
Additionally, TLS Edges may be supported soon in the future!
IP Restrictions
IPPolicy modules are currently only supported with the Operator.
ngrok offers the ability to restrict access to your edges by IP address via IP Restrictions. These are configurable via the IPPolicy CRD and can be attached to Ingress objects via NgrokModuleSet.
Modules
ngrok's Cloud Edge Modules allow you to configure features like compression, IP Restrictions, OAuth, adding/removing headers, and more.
These modules are currently only supported with the ingress controller. The Gateway API supports some of these capabilities using route rules
Design
Reusable
NgrokModuleSets are designed to be reusable. This allows you to define a set of modules and their configuration once and apply it to multiple Ingresses. Ex:
Loading…
In this example, the compression, tlsTermination, and headers modules are applied to both Ingresses and the same configuration is used for both. If you change the configuration of the NgrokModuleSet, the change will be applied to all Ingresses that use it.
Composable
NgrokModuleSets are designed to be composable. If multiple NgrokModuleSets are applied to an Ingress and a module is configured in more than one, the last one wins. Ex:
Loading…
In this example, the result is the compression module is enabled since module-set-2 was supplied last. If however,
the annotation is k8s.ngrok.com/modules: module-set-2,module-set-1 the order will result in the compression module
being disabled since module-set-1 is supplied last and overrides the value of enabled from module-set-2.
RBAC
Since NgrokModuleSets are Kubernetes Resources(Custom Resources), you can use RBAC to control who can create, update, get, list, delete them. This
allows you to control who can create and manage NgrokModuleSets, while being more permissive with Ingresses and allowing teams to self-service
using pre-made configurations.
Supported Modules
Circuit Breaker
Circuit breakers are used to protect upstream servers by rejecting traffic to them when they become overwhelmed.
Loading…
Compression
If an HTTP request includes an Accept-Encoding header, HTTP responses will be automatically compressed and a Content-Encoding response header will be added.
Enabled
Loading…
Disabled
Loading…
Headers
Request
The Request Headers module allows you to add and remove headers from HTTP requests before they are sent to your upstream server.
Loading…
Response
The Response Headers module allows you to add and remove headers from HTTP responses before they are returned to the client.
Loading…
IP Restrictions
IP Restrictions allow you to attach one or more IP policies to the route.
Policies may be specified by either their ID in the ngrok API or by the name of an ippolicy.ingress.k8s.ngrok.com Custom Resource if managed by the ingress controller.
Loading…
OAuth
The OAuth module enforces an OAuth authentication flow in front of any route it is enabled on.
Ngrok Managed OAuth Application
Google
Loading…
User Managed OAuth Application
Google
Loading…
OpenID Connect (OIDC)
The OIDC module restricts endpoint access to only users authorized by a OpenID Identity Provider.
Loading…
SAML
The SAML module restricts endpoint access to only users authorized by a SAML IdP.
TLS Termination
Allows you to configure whether ngrok terminates TLS traffic at its edge or forwards the TLS traffic through unterminated.
Loading…
Mutual TLS
This mutual TLS (mTLS) module performs authentication when the ngrok edge terminates TLS on incoming connections to your HTTP endpoint. The client must present a valid TLS certificate that is signed by one of the specified CAs or the connection will be rejected.
Loading…
Webhook Verification
The webhook verification module allows ngrok to assert requests to your endpoint originate from a supported webhook provider like Slack or Github.
Loading…
Configuring Multiple Modules
The following NgrokModuleSet named example:
- Enables a circuit breaker
- Enables compression
- Adds and removes headers from both the request and response
- Restricts access to the route to a list of trusted IPs defined in
policy-1 - Uses a ngrok managed OAuth application to authenticate users
- Configures TLS termination
Loading…
Traffic Policy
Traffic policies for inbound and outbound traffic can simplify edge management.
Traffic Policy is currently in preview. Breaking changes may occur at any time with no notice, including changes to the structure of policy documents, the behaviors of policies, and the pricing of this feature.
Design
NgrokTrafficPolicy objects can be defined with rules composed of expressions and actions that validate and filter traffic via the policy engine.
Loading…
Learn more about the policy expressions and actions here:
Ingress Composition
Traffic policies can be added to Ingress objects using annotations.
Loading…
Using both an NgrokModuleSet and an NgrokTrafficPolicy will result in an error.
Ingress is currently limited to a max of one traffic policy in your traffic policy annotation list.
Gateway Composition
Traffic policies can be added to Gateway HTTPRoute objects using an ExtensionRef filter.
Loading…
TCP and TLS Edges
ngrok offers TCP and TLS Edges which can be used to provide ingress to TCP or TLS based services. Both are implemented as CRDs and function similarly in broad strokes, albeit with slightly different configuration options offered. Their CRD reference is a useful companion to this guide.
While these edges and tunnels can be managed via the CRDs, the operator is capable of exposing kubernetes Service resources to the internet. This is done by creating a ngrok tunnel and edge for the service. The controller will automatically create a ngrok tunnel and edge for the service when the service is created or updated. The controller will also automatically delete the ngrok tunnel and edge when the service is deleted.
TCP LoadBalancer
By default, services of type LoadBalancer are exposed using a ngrok TCP Edge. A reserved address is automatically created for the service and the service's status will be updated with the reserved address. Other projects like external-dns can be used to create a CNAME record for the reserved address automatically.
Example
Loading…
Modules
The k8s.ngrok.com/modules annotation can be used to specify the ngrok modules to use for the service. The following modules are available for TCP
services:
If other modules are supplied that are not supported by the TCP edge, the controller will ignore them.
TLS LoadBalancer
Example
Note: the k8s.ngrok.com/domain annotation is required to use TLS and will expose the service as a TLS Edge.
Once the reserved domain is ready and the TLSEdge is created, the service's status will be updated with the ngrok address. Other projects like external-dns can be used to create a CNAME record for the reserved domain automatically.
Loading…
Modules
The k8s.ngrok.com/modules annotation can be used to specify the ngrok modules to use for the service. The following modules are available for TLS
services:
If other modules are supplied that are not supported by the TLS edge, the controller will ignore them.
Manual management via CRDs
While using services is recommended for simplicity, TCP and TLS edges and tunnels can be managed manually via the operator.
(TLS Only) Get a Domain
At least one hostports must be specified when creating a TLSEdge resource,
which takes the form <fqdn>:443. The fully qualified domain name must first be
reserved either via the ngrok dashboard or the Domain CRD.
Example:
Loading…
Create the Edge
Create the edge CRD. These resources are fairly similar, and both require you to
specify a TunnelGroupBackend. This consists of a
list of labels that determine which specific Tunnel should
receive traffic from the edge. Both may also specify IP
Policies for limiting access
to the edge. At the time of writing, these policies must be provided as a
reference in the form ipp_<id>.
On top of the options available to TCP Edges, TLS Edges support (and require) a few other options:
- (required)
hostports: A list of"<fqdn>:443"strings declaring the list of reserved domains for the edge to listen on. tlsTermination: Configure the TLS Termination behavior. TheterminateAtfield may be set toupstreamto pass the encrypted stream to the Tunnel backend, oredgeto terminate the TLS stream at the ngrok edge, and pass plaintext bytes to the Tunnel.mutualTls: Configure client certificate validation at the edge. Requires a reference to a Certificate Authority.
TCP Example:
Loading…
TCP Edges currently do not support providing a reserved TCP address. Therefore, one will be allocated upon edge creation. This can be viewed by checking the status of the resource:
Loading…
TLS Example:
Loading…
Start the Tunnel
Finally, create a Tunnel to receive and forward traffic for your edge.
Important fields:
forwardsTo: The<hostname>:<port>to forward traffic to. This can be any hostname resolvable and accessible from the ingress controller pod.labels: a map of labels corresponding to the edge to receive traffic for. These must match the labels specified when creating your edge.backend.protocol: The protocol understood by the backend service.TCPwill forward connections to the backend as-is, whileTLSwill create a TLS connection to the backend first, and then forward the connection stream over that.
Example:
Loading…
Full Example
This is an example of using a TLS Edge to expose the kubernetes control plane via ngrok.
Loading…
Check the status of your resources:
Loading…
Our domain and edge both have IDs allocated, so we know they've been created successfully!
Edit your kubeconfig and replace the server with
https://tlsedgetest.ngrok.app, comment out certificate-authority-data and
add insecure-skip-tls-verify: true to your cluster config. This is needed
because kubernetes is completing the TLS handshake with its own certificate,
which won't be valid for your ngrok domain.
Use kubectl cluster-info to verify that everything is still working:
Loading…
Agent Endpoints
Agent Endpoints along with Cloud Endpoints are the successors to Edges. Agent Endpoints are ephemeral and tied to the lifetime of the ngrok agent.
Using Agent Endpoints, you can easily expose your Kubernetes services to internet, or use .internal domains to allow other ngrok endpoints to route to them internally without exposing them to the public internet.
The ngrok kubernetes operator ensures that you always have a set of Agent Endpoints according to the configuration of any and all AgentEndpoint custom resources (AgentEndpoint CRD reference). you have applied. You may see the ID's of any agent endpoints
within the ngrok dashboard change over time if they are managed by the operator whenever the operator is restarted, but their configuraiton and availability will always be consistent so long as the operator is running.
See the ngrok agent CLI configuration page, for more information about using the CLI to start agent endpoints outside of Kubernetes.
Note: Agent Endpoints are currently in feature-preview for the ngrok Kubernetes operator. You will need to use --version 0.17.0-rc.1 (or newer) when using
helm to install or update the operator. See the deployment guide for information about installing
the ngrok Kubernetes operator.
HTTP Endpoints
This Agent Endpoint accepts cleartext HTTP connections at http://example-http-domain.ngrok.io, and forwards to the kubernetes service test-service.default on port 8080 over cleartext HTTP.
While the public url is http://, the upstream.url does not need to also use http://. You can forward traffic to HTTPS or cleartext HTTP upstream urls.
Loading…
HTTPS Endpoints
This Agent Endpoint accepts HTTPS connections at https://example-https-domain.ngrok.io, terminates TLS, and forwards to the kubernetes service test-service.default on port 8443 over HTTPS.
While the public url is https://, the upstream.url does not need to also use https://. You can forward traffic to HTTPS or cleartext HTTP upstream urls.
Loading…
The following example showcases forwarding traffic to a publicy routable url outside of Kubernetes, but will also work with an HTTP Agent Endpoint.
Loading…
The following example showcases how a traffic policy with the terminate-tls action can be used to control TLS termination options. More information and examples about configuring traffic policies on Agent Endpoints can be found in the traffic policy section below.
For HTTPS endpoints, ngrok will already terminate TLS connections for you even if you do not explicitly use this action in your Traffic Policy. If you specify this action in your Traffic Policy without any configuration, you will see no change in behavior for your endpoints.
Loading…
TCP Endpoints
TCP Agent Endpoints can be used to forward raw TCP traffic. In order to create a TCP Agent Endpoint, you must first reserve a TCP address through the ngrok dashboard.
Loading…
TLS Endpoints
TLS endpoints enable you to deliver any network service that runs over a TLS-based protocol. TLS endpoints make no assumptions about the wrapped protocol being transported.
Loading…
The following example showcases how a traffic policy with the terminate-tls action can be used to control TLS termination options. More information and examples about configuring traffic policies on Agent Endpoints can be found in the traffic policy section below.
For TLS endpoints, ngrok will not terminate the TLS connection by default and it is up to you to handle TLS termination in your upstream service.
Loading…
Internal Endpoints
Agent Endpoints with a url ending in .internal can be used to create Internal Endpoints.
All internal endpoints end in .internal, and are specific to one ngrok account. Requests may only be forwarded to a internal endpoint on the same account as the the internal endpoint, and the target must be of the same protocol (i.e. an HTTP Endpoint may only forward to an HTTP Internal Endpoint).
In addition, the target's traffic policy may only specify policy for the current protocol, for example if forward-internal is used in the on_http_request traffic policy phase,
the internal endpoint may only have on_http_request and on_http_response sections in its traffic policy configuration.
1. Create a public Agent Endpoint
The following Agent Endpoint will forward all traffic to an internal Agent Endpoint that will be created next
Loading…
Since the above endpoint is forwarding all traffic to the below internal endpoint, no traffic will be sent to foo.bar:8080 which is the upstream.
2. Create an internal Agent Endpoint
This internal Agent Endpoint is not accessible from the public internet, but may receive traffic from other Cloud and Agent Endpoints using their
traffic policy's forward-internal action.
Loading…
3. Create a Cloud Endpoint
The following showcases how you could also use a Cloud Endpoint to forward traffic to your internal Agent Endpoint
Cloud Endpoints can created with Kubernetes resources such as with the following example, but they can also be created from the ngrok dashboard and the ngrok API.
Cloud Endpoints enable you to:
- Centrally manage your traffic policy configurations in Kubernetes and/or ngrok's cloud service
- Load balance traffic to different ngrok agents/operators
- Apply different configurations for each path in your application. For example, you may apply OAuth on
/appand Compression on/static/css
Loading…
Traffic Policies with Agent Endpoints
The follwoing example showcases how to inline a traffic policy configuration for an Agent Endpoint.
Loading…
The follwoing example showcases how to supply a traffic policy configuration via reference to an NgrokTrafficPolicy custom resource
for an Agent Endpoint. Note that the referenced NgrokTrafficPolicy must be in the same namespace as the AgentEndpoint it is being referenced from.
Loading…
Loading…