Skip to main content

User Guide

The guide contains information on how to use the ngrok Kubernetes Operator. This is the place to start if you have the operator installed and want to use it to add ingress, gateways, routes, and other ngrok features to your clusters' apps and services.

Start by reading the ingress-to-edge-relationship documentation to understand how ingress, gateway, and route objects are converted into ngrok edges.

For see or contribute a specific example, file a PR in the examples section of our repo see.

TLS and HTTPS

For http based traffic, the ngrok Kubernetes Ingress Controller will and can only provide HTTPS secured traffic. This is because the controller is responsible for creating the ngrok tunnel and edge, and ngrok only supports HTTPS for http traffic. By default if you use a standard ngrok subdomain, all traffic will be over https. If you are using a custom domain, please see the custom domain documentation for more details.

Additionally, TLS Edges may be supported soon in the future!

IP Restrictions

note

IPPolicy modules are currently only supported with the ingress controller.

ngrok offers the ability to restrict access to your edges by IP address via IP Restrictions. These are configurable via the IPPolicy CRD and can be attached to Ingress objects via NgrokModuleSet.

Modules

ngrok's Cloud Edge Modules allow you to configure features like compression, IP Restrictions, OAuth, adding/removing headers, and more.

note

These modules are currently only supported with the ingress controller. The Gateway API supports some of these capabilities using route rules

Design

Reusable

NgrokModuleSets are designed to be reusable. This allows you to define a set of modules and their configuration once and apply it to multiple Ingresses. Ex:

---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: module-set-1
modules:
compression:
enabled: true
tlsTermination:
minVersion: "1.2"
headers:
request:
add:
a-request-header: "my-custom-value"
another-request-header: "my-other-custom-value"
remove:
- "x-remove-at-edge"
response:
add:
a-response-header: "a-response-value"
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: example-ingress
annotations:
k8s.ngrok.com/modules: module-set-1
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: example-ingress-2
annotations:
k8s.ngrok.com/modules: module-set-1

In this example, the compression, tlsTermination, and headers modules are applied to both Ingresses and the same configuration is used for both. If you change the configuration of the NgrokModuleSet, the change will be applied to all Ingresses that use it.

Composable

NgrokModuleSets are designed to be composable. If multiple NgrokModuleSets are applied to an Ingress and a module is configured in more than one, the last one wins. Ex:

---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: module-set-1
modules:
compression:
enabled: false
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: module-set-2
modules:
compression:
enabled: true
tlsTermination:
minVersion: "1.2"
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: example-ingress
annotations:
k8s.ngrok.com/modules: module-set-1,module-set-2

In this example, the result is the compression module is enabled since module-set-2 was supplied last. If however, the annotation is k8s.ngrok.com/modules: module-set-2,module-set-1 the order will result in the compression module being disabled since module-set-1 is supplied last and overrides the value of enabled from module-set-2.

RBAC

Since NgrokModuleSets are Kubernetes Resources(Custom Resources), you can use RBAC to control who can create, update, get, list, delete them. This allows you to control who can create and manage NgrokModuleSets, while being more permissive with Ingresses and allowing teams to self-service using pre-made configurations.

Supported Modules

Circuit Breaker

Circuit breakers are used to protect upstream servers by rejecting traffic to them when they become overwhelmed.

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: circuit-breaker
modules:
circuitBreaker:
trippedDuration: 10s
rollingWindow: 10s
numBuckets: 10
volumeThreshold: 10
errorThresholdPercentage: "0.50"

Compression

If an HTTP request includes an Accept-Encoding header, HTTP responses will be automatically compressed and a Content-Encoding response header will be added.

Enabled

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: compression-enabled
modules:
compression:
enabled: true

Disabled

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: compression-disabled
modules:
compression:
enabled: false

Headers

Request

The Request Headers module allows you to add and remove headers from HTTP requests before they are sent to your upstream server.

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: request-headers
modules:
headers:
request:
add:
a-request-header: "my-custom-value"
another-request-header: "my-other-custom-value"
remove:
- "x-remove-before-upstream"

Response

The Response Headers module allows you to add and remove headers from HTTP responses before they are returned to the client.

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: response-headers
modules:
headers:
response:
add:
a-response-header: "a-response-value"
another-response-header: "another-response-value"
remove:
- "x-remove-from-resp-to-client"

IP Restrictions

IP Restrictions allow you to attach one or more IP policies to the route.

Policies may be specified by either their ID in the ngrok API or by the name of an ippolicy.ingress.k8s.ngrok.com Custom Resource if managed by the ingress controller.

kind: IPPolicy
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: policy-1
spec:
description: "My Trusted IPs"
rules:
- action: "allow"
cidr: 1.2.3.4/32
description: "My Home IP"
- action: "allow"
cidr: 1.2.3.5/32
description: "My Work IP"
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: ip-restrictions
modules:
ipRestriction:
policies:
- "policy-1" # Reference to the `ippolicy.ingress.k8s.ngrok.com` Custom Resource above
- "ipp_1234567890" # Reference to an IP Policy by its ngrok API ID

OAuth

The OAuth module enforces an OAuth authentication flow in front of any route it is enabled on.

Ngrok Managed OAuth Application

Google
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: ngrok-managed-google-oauth
modules:
oauth:
google:
optionsPassthrough: true
inactivityTimeout: 10m
maximumDuration: 24h
authCheckInterval: 20m
emailAddresses:
- my-email@my-domain.com
# Or specify a list of domains instead of individual email addresses
# emailDomains:
# - my-domain.com

User Managed OAuth Application

Google
---
kind: Secret
apiVersion: v1
metadata:
name: google-oauth-secret
type: Opaque
data:
CLIENT_SECRET: "<base64-encoded-client-secret>"
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: user-managed-google-oauth
modules:
oauth:
google:
optionsPassthrough: true
inactivityTimeout: 10m
maximumDuration: 24h
authCheckInterval: 20m
clientId: "<client-id>.apps.googleusercontent.com"
clientSecret:
name: google-oauth-secret # The name of the k8s secret
key: CLIENT_SECRET # The key in the k8s secret containing the client secret
scopes:
- openid
- email

OpenID Connect (OIDC)

The OIDC module restricts endpoint access to only users authorized by a OpenID Identity Provider.

---
kind: Secret
apiVersion: v1
metadata:
name: oidc-secret
type: Opaque
data:
CLIENT_SECRET: "<base64-encoded-client-secret>"
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: oidc
modules:
oidc:
clientId: "<client-id>.apps.googleusercontent.com"
clientSecret:
name: oidc-secret
key: CLIENT_SECRET
maximumDuration: 24h
inactivityTimeout: 3h
issuer: https://accounts.google.com
optionsPassthrough: true
scopes:
- openid
- email

SAML

The SAML module restricts endpoint access to only users authorized by a SAML IdP.

TLS Termination

Allows you to configure whether ngrok terminates TLS traffic at its edge or forwards the TLS traffic through unterminated.

kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: tls
modules:
tlsTermination:
minVersion: "1.3"

Webhook Verification

The webhook verification module allows ngrok to assert requests to your endpoint originate from a supported webhook provider like Slack or Github.

---
apiVersion: v1
kind: Secret
metadata:
name: github-webhook-token
type: Opaque
data:
SECRET_TOKEN: "<base64-encoded-webhook-secret>"

---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: webhook-verification
modules:
webhookVerification:
provider: github
secret:
name: github-webhook-token
key: SECRET_TOKEN

Configuring Multiple Modules

The following NgrokModuleSet named example:

  • Enables a circuit breaker
  • Enables compression
  • Adds and removes headers from both the request and response
  • Restricts access to the route to a list of trusted IPs defined in policy-1
  • Uses a ngrok managed OAuth application to authenticate users
  • Configures TLS termination
---
kind: IPPolicy
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: policy-1
spec:
description: "My Trusted IPs"
rules:
- action: "allow"
cidr: 1.2.3.4/32
description: "My Home IP"
- action: "allow"
cidr: 1.2.3.5/32
description: "My Work IP"
---
kind: NgrokModuleSet
apiVersion: ingress.k8s.ngrok.com/v1alpha1
metadata:
name: example
modules:
circuitBreaker:
trippedDuration: 10s
rollingWindow: 10s
numBuckets: 10
volumeThreshold: 20
errorThresholdPercentage: "0.50"
compression:
enabled: true
headers:
request:
add:
a-request-header: "my-custom-value"
another-request-header: "my-other-custom-value"
remove:
- "x-remove-before-upstream"
response:
add:
a-response-header: "a-response-value"
another-response-header: "another-response-value"
remove:
- "x-remove-from-resp-to-client"
ipRestriction:
policies:
- policy-1
oauth:
google:
optionsPassthrough: true
inactivityTimeout: 10m
maximumDuration: 24h
authCheckInterval: 20m
tlsTermination:
minVersion: "1.3"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
annotations:
k8s.ngrok.com/modules: "example"
spec:
ingressClassName: ngrok
rules:
- host: <my-host>.ngrok.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <service-name>
port:
number: <service-port>

Traffic Policy

Traffic policies for inbound and outbound traffic can simplifify edge management.

Design

NgrokTrafficPolicy objects can be defined with rules composed of expressions and actions that validate and filter traffic via the policy engine.

kind: NgrokTrafficPolicy
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
metadata:
name: traffic-policy-example
spec:
policy:
inbound:
- name: "greetings"
expressions:
- "req.method == 'GET'"
- "req.path.startsWith('/greetings')"
actions:
- type: "custom_response"
config:
status_code: 200
content: Hello
headers:
content-type: text/plain

Learn more about the policy expressions and actions here:

Ingress Composition

Traffic policies can be added to Ingress objects using annotations.

---
kind: NgrokTrafficPolicy
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
metadata:
name: traffic-policy-test
spec:
policy:
inbound:
- name: "deny_patch"
expressions:
- "req.method == 'PATCH'"
actions:
- type: "deny"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
annotations:
k8s.ngrok.com/traffic-policy: traffic-policy-test
spec:
ingressClassName: ngrok
rules:
- host: <my-host>.ngrok.app
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <service-name>
port:
number: <service-port>
note

Using both an NgrokModuleSet and an NgrokTrafficPolicy will result in an error.

note

Ingress is currently limited to a max of one traffic policy in your traffic policy annotation list.

Gateway Composition

Traffic policies can be added to Gateway HTTPRoute objects using an ExtensionRef filter.

---
kind: NgrokTrafficPolicy
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
metadata:
name: traffic-policy-test
spec:
policy:
inbound:
- name: "deny_patch"
expressions:
- "req.Method == 'PATCH'"
actions:
- type: "deny"
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: example-route
spec:
parentRefs:
- kind: Gateway
name: ngrok-gateway
hostnames:
- "<my-host>.ngrok.app"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: ExtensionRef
extensionRef:
group: ngrok.k8s.ngrok.com
kind: NgrokTrafficPolicy
name: traffic-policy-test
backendRefs:
- name: <service-name>
kind: Service
port: <service-port>

TCP and TLS Edges

ngrok offers TCP and TLS Edges which can be used to provide ingress to TCP or TLS based services. Both are implemented as CRDs and function similarly in broad strokes, albeit with slightly different configuration options offered. Their CRD reference is a useful companion to this guide.

While these edges and tunnels can be managed via the CRDs, the operator is capable of exposing kubernetes Service resources to the internet. This is done by creating a ngrok tunnel and edge for the service. The controller will automatically create a ngrok tunnel and edge for the service when the service is created or updated. The controller will also automatically delete the ngrok tunnel and edge when the service is deleted.

TCP LoadBalancer

By default, services of type LoadBalancer are exposed using a ngrok TCP Edge. A reserved address is automatically created for the service and the service's status will be updated with the reserved address. Other projects like external-dns can be used to create a CNAME record for the reserved address automatically.

Example

apiVersion: v1
kind: Service
metadata:
name: mysite
annotations:
k8s.ngrok.com/modules: only-trusted-ips # Optional. The ngrok modules used for this Service
spec:
allocateLoadBalancerNodePorts: false # ngrok's tunneling technology does not require NodePorts to be allocated.
loadBalancerClass: ngrok
type: LoadBalancer
selector:
app: mysite
ports:
- name: traffic
port: 9000
protocol: TCP
targetPort: 9000

Modules

The k8s.ngrok.com/modules annotation can be used to specify the ngrok modules to use for the service. The following modules are available for TCP services:

If other modules are supplied that are not supported by the TCP edge, the controller will ignore them.

TLS LoadBalancer

Example

Note: the k8s.ngrok.com/domain annotation is required to use TLS and will expose the service as a TLS Edge. Once the reserved domain is ready and the TLSEdge is created, the service's status will be updated with the ngrok address. Other projects like external-dns can be used to create a CNAME record for the reserved domain automatically.

apiVersion: v1
kind: Service
metadata:
name: mysite
annotations:
k8s.ngrok.com/modules: only-trusted-ips # Optional. The ngrok modules used for this Service
k8s.ngrok.com/domain: mysite.mydomain.com # Required to use TLS
external-dns.alpha.kubernetes.io/hostname: "mysite.mydomain.com"
spec:
allocateLoadBalancerNodePorts: false # ngrok's tunneling technology does not require NodePorts to be allocated.
loadBalancerClass: ngrok
type: LoadBalancer
selector:
app: mysite
ports:
- name: traffic
port: 9000
protocol: TCP
targetPort: 9000

Modules

The k8s.ngrok.com/modules annotation can be used to specify the ngrok modules to use for the service. The following modules are available for TLS services:

If other modules are supplied that are not supported by the TLS edge, the controller will ignore them.

Manual management via CRDs

While using services is recommended for simplicity, TCP and TLS edges and tunnels can be managed manually via the operator.

(TLS Only) Get a Domain

At least one hostports must be specified when creating a TLSEdge resource, which takes the form <fqdn>:443. The fully qualified domain name must first be reserved either via the ngrok dashboard or the Domain CRD.

Example:

apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Domain
metadata:
name: tlsedgetest-ngrok-app
spec:
domain: tlsedgetest.ngrok.app

Create the Edge

Create the edge CRD. These resources are fairly similar, and both require you to specify a TunnelGroupBackend. This consists of a list of labels that determine which specific Tunnel should receive traffic from the edge. Both may also specify IP Policies for limiting access to the edge. At the time of writing, these policies must be provided as a reference in the form ipp_<id>.

On top of the options available to TCP Edges, TLS Edges support (and require) a few other options:

  • (required) hostports: A list of "<fqdn>:443" strings declaring the list of reserved domains for the edge to listen on.
  • tlsTermination: Configure the TLS Termination behavior. The terminateAt field may be set to upstream to pass the encrypted stream to the Tunnel backend, or edge to terminate the TLS stream at the ngrok edge, and pass plaintext bytes to the Tunnel.
  • mutualTls: Configure client certificate validation at the edge. Requires a reference to a Certificate Authority.

TCP Example:

apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: TCPEdge
metadata:
name: test-edge
spec:
backend:
labels:
app: tcptestedge

TCP Edges currently do not support providing a reserved TCP address. Therefore, one will be allocated upon edge creation. This can be viewed by checking the status of the resource:

$ kubectl get tcpedges test-edge
NAME ID HOSTPORTS BACKEND ID AGE
test-edge edgtcp_2Wg5AzVE878vQoNMP3Z8wONIr76 ["7.tcp.ngrok.io:27866"] bkdtg_2Wg5Amjb4GiQoV7SAnpEdM0Dg3n 2m35s

TLS Example:

apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: TLSEdge
metadata:
name: test-edge
spec:
hostports:
- tlstestedge.ngrok.app:443
backend:
labels:
app: tlstestedge
tlsTermination:
terminateAt: upstream

Start the Tunnel

Finally, create a Tunnel to receive and forward traffic for your edge.

Important fields:

  • forwardsTo: The <hostname>:<port> to forward traffic to. This can be any hostname resolvable and accessible from the ingress controller pod.
  • labels: a map of labels corresponding to the edge to receive traffic for. These must match the labels specified when creating your edge.
  • backend.protocol: The protocol understood by the backend service. TCP will forward connections to the backend as-is, while TLS will create a TLS connection to the backend first, and then forward the connection stream over that.

Example:

apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Tunnel
metadata:
name: test-tunnel
spec:
backend:
protocol: TCP
forwardsTo: kubernetes.default.svc:443
labels:
app: tlsedgetest

Full Example

This is an example of using a TLS Edge to expose the kubernetes control plane via ngrok.

---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Domain
metadata:
name: tlsedgetest-ngrok-app
spec:
# Reserve the tlsedgetest.ngrok.app domain.
domain: tlsedgetest.ngrok.app
---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: TLSEdge
metadata:
name: test-edge
spec:
hostports:
# Listen for connections on the domain we reserved
- tlsedgetest.ngrok.app:443
backend:
labels:
app: tlsedgetest
# Pass the TLS stream on to the backend - let the application do its own TLS
# handshake.
tlsTermination:
terminateAt: upstream
---
apiVersion: ingress.k8s.ngrok.com/v1alpha1
kind: Tunnel
metadata:
name: test-tunnel
spec:
# Forward the raw TCP stream to our backend.
# It will technically contain TLS, and the backend speaks TLS, but we don't
# want the Tunnel to terminate TLS before forwarding incoming connections.
# We don't want a TLS turducken.
backend:
protocol: TCP
# Forward to the kubernetes control plane.
forwardsTo: kubernetes.default.svc:443
# Listen for connections using the labels from our edge.
labels:
app: tlsedgetest

Check the status of your resources:

$ kubectl get domain
NAME ID REGION DOMAIN CNAME TARGET AGE
tlsedgetest-ngrok-app rd_2Wg986lvMqsiB1J5WV5lOcmT21a tlsedgetest.ngrok.app 4s
$ kubectl get tlsedge
NAME ID HOSTPORTS BACKEND ID AGE
test-edge edgtls_2Wg989BMmZLWXixStL8BjAxMcxW ["tlsedgetest.ngrok.app:443"] bkdtg_2Wg981gcSnxaX5cTL28LWwVg4xD 12s
$ kubectl get tunnel
NAME FORWARDSTO AGE
test-tunnel kubernetes.default.svc:443 52m

Our domain and edge both have IDs allocated, so we know they've been created successfully!

Edit your kubeconfig and replace the server with https://tlsedgetest.ngrok.app, comment out certificate-authority-data and add insecure-skip-tls-verify: true to your cluster config. This is needed because kubernetes is completing the TLS handshake with its own certificate, which won't be valid for your ngrok domain.

Use kubectl cluster-info to verify that everything is still working:

$ kubectl cluster-info
Kubernetes control plane is running at https://tlsedgetest.ngrok.app
CoreDNS is running at https://tlsedgetest.ngrok.app/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.