The ngrok Kubernetes Operator is our official open-source controller for adding public and secure ingress traffic to your k8s services. It works out of the box with Google Kubernetes Engine cluster to provide ingress to your services no matter the network configuration, as long as it has outbound access to the ngrok service. This allows ngrok to be portable and work seamlessly across any type of infrastructure.

What you’ll need

Ensure kubectl can speak with your cluster

With a Google Kubernetes Engine (GKE) cluster, authentication for kubectl happens with a credential helper. So in-order to deploy the ngrok Kubernetes Operator to your cluster, you’ll need to ensure that you can use the gcloud CLI and that the credential helper is available. Let’s ensure that you have the gcloud CLI installed and configured with your Google Cloud credentials. You can confirm this works and you’re authenticated correctly by running the following command: 
gcloud auth list
If you see your correct Google account listed, you should be all set. If not, you can run gcloud auth login to authenticate with your Google account. Next, we’ll ensure that the credential helper is available. Run the following command to confirm that the credential helper is available: 
gcloud components install gke-gcloud-auth-plugin
Finally, we can add the cluster to our KUBECONFIG: 
gcloud container clusters get-credentials --region <cluster-region> --project <cluster-project> <cluster-name>

Install the ngrok Kubernetes Operator

Now we can install the ngrok Kubernetes Operator to provide ingress to our services. Check out our Operator installation doc for details on how to use Helm to install with your ngrok credentials.

Install a Sample Application

Create a manifest file (for example ngrok-manifest.yaml) with the following contents. You will need to replace the NGROK_DOMAIN on line 45 with your own custom value. This is the URL you will use to access your service from anywhere. If you’re on a free account, it must be on a static subdomain which you can claim by logging into your account and following the instructions on the claim static subdomain banner. For paid accounts, you can use a custom domain or a subdomain of ngrok.app or ngrok.dev (for example, username-loves-ingress.ngrok.app or k8s.example.com).
Notes:
  • Lines 1-34: Create the 2048 app service and deployment
  • Lines 35-54 (highlighted): Create the ngrok Kubernetes Operator. Line 45 determines the ingress URL for public requests.
showLineNumbers
apiVersion: v1
kind: Service
metadata:
  name: game-2048
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    app: game-2048
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: game-2048
spec:
  replicas: 1
  selector:
    matchLabels:
      app: game-2048
  template:
    metadata:
      labels:
        app: game-2048
    spec:
      containers:
        - name: backend
          image: alexwhen/docker-2048
          ports:
            - name: http
              containerPort: 80
---
# highlight-start
# ngrok Kubernetes Operator Configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: game-2048-ingress
  namespace: ngrok-operator
spec:
  ingressClassName: ngrok
  rules:
    - host: <NGROK_DOMAIN>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: game-2048
                port:
                  number: 80
# highlight-end
  1. Apply the manifest file to your k8s cluster. 
    kubectl apply -f ngrok-manifest.yaml
    Note: If you get an error when applying the manifest, double check that you’ve updated the NGROK_DOMAIN value and try again.
  2. Access your ingress URL using the subdomain you chose in the manifest file above (i.e. https://my-awesome-k8s-cluster.ngrok.app) to confirm the 2048 app is accessible from the internet. application public

Add authentication to your app

With our Traffic Policy system and the oauth action, ngrok manages OAuth protection entirely at the ngrok cloud service, which means you don’t need to add any additional services to your cluster, or alter routes, to ensure ngrok’s edge authenticates and authorizes all requests before allowing ingress and access to your endpoint. To enable the oauth action, you’ll create a new NgrokTrafficPolicy custom resource and apply it to your entire Ingress with an annotation. You can also apply the policy to just a specific backend or as the default backend for an Ingress—see our doc on using the Operator with Ingresses.
  1. Edit your existing 2048.yaml manifest with the following, leaving the Service and Deployment as they were. Note the new annotations field and the NgrokTrafficPolicy CR. 
     ...
---
# Configuration for ngrok's Kubernetes Operator
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: game-2048-ingress
  namespace: default
  annotations:
    k8s.ngrok.com/traffic-policy: oauth
spec:
  ingressClassName: ngrok
  rules:
    - host: <NGROK_DOMAIN>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: game-2048
                port:
                  number: 80
---
# Traffic Policy configuration for OAuth
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: NgrokTrafficPolicy
metadata:
  name: oauth
  namespace: default
spec:
  policy:
	   on_http_request:
		   - type: oauth
			   config:
			     provider: google
  2. Re-apply your 2048.yaml configuration. 
    kubectl apply -f 2048.yaml
  3. When you open your demo app again, you’ll be asked to log in via Google. That’s a start, but what if you want to authenticate only yourself or colleagues?
  4. You can use expressions and CEL interpolation to filter out and reject OAuth logins that don’t contain example.com. Update the NgrokTrafficPolicy portion of your manifest after changing example.com to your domain. 
    # Traffic Policy configuration for OAuth
apiVersion: ngrok.k8s.ngrok.com/v1alpha1
kind: NgrokTrafficPolicy
metadata:
  name: oauth
  namespace: default
spec:
  policy:
    on_http_request:
      - type: oauth
        config:
          provider: google
      - expressions:
          - "!actions.ngrok.oauth.identity.email.endsWith('@example.com')"
        actions:
          - type: custom-response
            config:
              body: Hey, no auth for you ${actions.ngrok.oauth.identity.name}!
              status_code: 400
  5. Check out your deployed 2048 app once again. If you log in with an email that doesn’t match your domain, ngrok rejects your request. Authentication… done!