Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Fast Forward

If you have already exposed Istio for serving, expand this box to fast-forward.

1. Proceed to the Verify section.

What You’ll Need

• A configured management environment.
• Your clone of the Arrikto GitOps repository.
• An existing AKS cluster.
• A working cert-manager deployment.
• A working NGINX Ingress Controller deployment.

Procedure

1. Go to your GitOps repository, inside your rok-tools management environment:

   

   root@rok-tools:/# cd ~/ops/deployments

2. Compute the subdomain to use for serving:

   

   root@rok-tools:~/ops/deployments# export SERVING_SUBDOMAIN=${SERVING_AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com && echo ${SERVING_SUBDOMAIN?} arrikto-cluster-serving.eastus.cloudapp.azure.com

3. Specify the NGINX class to use. Choose one of the following options based on which NGINX you are using:

   Serving NGINX

   EKF NGINX

   The Serving NGINX is used by default. Continue with next step.

   Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the ingress-class patch:

   

   patches: ... - path: patches/ingress-class.yaml

4. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the xff patch:

   

   patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops

5. Edit rok/expose-serving/overlays/deploy/patches/xff.yaml and set value for xff_num_trusted_hops to 1:

   

   value: 1

   Note

   Azure LB is a TCP proxy and as such we have one L7 proxy in from of Istio: NGINX.

6. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting the corresponding snippet. The final result will look like this:

   

   patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml

7. Render the patch for Ingress rules:

   

   root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-host.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-host.yaml

8. Render the patch for TLS termination:

   

   root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-tls.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-tls.yaml

9. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the certificate resource:

   

   resources: ... - ../../base/certificate.yaml

10. Edit rok/expose-serving/overlays/deploy/patches/certificate.yaml and set both commonName and dnsNames to your subdomain:

    

    spec: commonName: arrikto-cluster-serving.eastus.cloudapp.azure.com # <-- Edit this value with your subdomain dnsNames: - arrikto-cluster-serving.eastus.cloudapp.azure.com # <-- Edit this value with your subdomain

11. Commit your changes:

    

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"

12. Apply the kustomization:

    

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-serving/overlays/deploy

Verify

1. Verify that you have successfully created the Ingress object for Istio. Ensure that the HOSTS field includes both your subdomain and your wildcard subdomain:

   

   root@rok-tools:~# kubectl get ingress -n knative-serving NAME HOSTS ADDRESS PORTS AGE knative-serving-ingress *.arrikto-cluster-serving.eastus.cloudapp.azure.com,arrikto-cluster-serving.eastus.cloudapp.azure.com 10.42.42.42 80 1m

Summary

You have successfully configured Istio and exposed served models to the outside world.

What’s Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.

• Integrations