Angie and NGINX on Kubernetes: Helm, Ingress, WAF, HTTP/3 and TLS
Running Angie or NGINX on Kubernetes requires proper configuration for load balancing, TLS termination, WAF protection, and HTTP/3 support. This guide covers production-ready setup using Helm, Ingress resources, and modern web protocols.
Why Kubernetes with Angie/NGINX?
Kubernetes abstracts your infrastructure, but you still need a proper web server at the edge:
• Angie/NGINX handles request routing and load balancing
• TLS termination at the edge reduces backend CPU
• HTTP/3 and HTTP/2 support for modern clients
• ModSecurity WAF for application protection
• Automatic scaling based on traffic
Architecture Overview
Typical Kubernetes setup:
Clients → Internet → Angie/NGINX (Ingress) → Services → Pods
The Ingress controller (Angie or NGINX) terminates TLS, routes requests, applies WAF rules, and forwards traffic to your backend services.
Installing Angie/NGINX on Kubernetes
Option 1: Using Helm (Recommended)
Add the myguard repository:
helm repo add myguard https://helm.myguard.nl
helm repo update
Install Angie Ingress controller:
helm install angie myguard/angie –namespace ingress-angie –create-namespace –values values.yaml
Option 2: Using Official Helm Chart
Install the official NGINX Ingress:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install nginx-ingress ingress-nginx/ingress-nginx –namespace ingress-nginx –create-namespace
Configuring Ingress Resources
Create an Ingress resource to define routing:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-ingress
spec:
ingressClassName: angie # or ‘nginx’
rules:
– host: example.com
http:
paths:
– path: /api
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080
– path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
TLS Configuration
Enable HTTPS with automatic certificate management:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-tls
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: angie
tls:
– hosts:
– example.com
secretName: example-tls-cert
rules:
– host: example.com
http:
paths:
– path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
HTTP/3 Support
Enable HTTP/3 (QUIC) for faster connections:
apiVersion: v1
kind: ConfigMap
metadata:
name: angie-config
data:
http3.conf: |
# HTTP/3 with QUIC
listen 443 ssl http2 quic;
listen [::]:443 ssl http2 quic ipv6only=on;
Then patch the Ingress controller to use this config.
ModSecurity WAF Integration
Add ModSecurity Web Application Firewall protection:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-waf
annotations:
modsecurity.ingress.kubernetes.io/enabled: “true”
modsecurity.ingress.kubernetes.io/rules-file: /etc/modsecurity/rules/OWASP-CRS/coreruleset-3.3.4/http-blind-xxe.data
spec:
ingressClassName: angie
rules:
– host: example.com
http:
paths:
– path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
GeoIP2 Routing
Route traffic based on geographic location:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app-geoip
annotations:
angie.ingress/geoip: “true”
spec:
ingressClassName: angie
rules:
– host: example.com
http:
paths:
– path: /
pathType: Prefix
backend:
service:
name: web-service
port:
number: 80
Production Configuration
Example production-ready values.yaml:
replicaCount: 3
image:
repository: myguard/angie
tag: “1.27.0”
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
– weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
– key: app
operator: In
values:
– angie
topologyKey: kubernetes.io/hostname
service:
type: LoadBalancer
port: 443
targetPort: 443
Monitoring and Observability
Expose metrics for Prometheus:
serviceMonitor:
enabled: true
interval: 30s
path: /metrics
Query Angie/NGINX metrics:
kubectl port-forward -n ingress-angie svc/angie 8080:8080
curl http://localhost:8080/metrics
Troubleshooting
Check Ingress status:
kubectl get ingress -A
kubectl describe ingress my-app-ingress
View Angie/NGINX logs:
kubectl logs -n ingress-angie deployment/angie -f
Verify TLS certificate:
kubectl get certificate -A
kubectl describe certificate my-app-tls
Performance Tuning
Optimize for production:
# Increase worker connections
worker_connections 4096;
# Enable compression
gzip on;
gzip_min_length 1000;
# Cache DNS
resolver 8.8.8.8 8.8.4.4 valid=30s;
resolver_timeout 10s;
Best Practices
1. Use cert-manager for automatic certificate management
2. Enable RBAC and network policies
3. Use resource limits and requests
4. Implement health checks and readiness probes
5. Monitor with Prometheus and Grafana
6. Keep HTTP/3 enabled for modern clients
7. Use WAF rules appropriate for your application
8. Test failover and disaster recovery scenarios
Scaling
Scale the Ingress controller:
kubectl scale deployment angie –replicas=5 -n ingress-angie
Use HPA for automatic scaling:
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: angie-hpa
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: angie
minReplicas: 3
maxReplicas: 10
metrics:
– type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
Conclusion
Running Angie or NGINX on Kubernetes provides a robust, scalable ingress layer with modern features like HTTP/3, WAF protection, and automatic TLS. By using Helm and proper Ingress resources, you can manage your edge infrastructure as code.