Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Fast Forward
If you have alreayd exposed Istio for serving, expand this box to fast-forward.
- Proceed to the Verify section.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster on your premises.
- A working MetalLB Loab Balancer controller.
- A working NGINX Ingress Controller deployment.
- An existing FQDN for your MetalLB Load Balancer.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsSpecify the NGINX class to use. Choose one of the following options, based on which NGINX you are using:
The Serving NGINX is used by default. Continue with next step.
Edit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable theingress-class
patch:patches: ... - path: patches/ingress-class.yamlEdit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable thexff
patch:patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hopsSet the number of trusted proxies in front of the Gateway:
root@rok-tools:~/ops/deployments# export SERVING_TRUSTED_FRONT_PROXIES=1Note
With MetalLB we have only one L7 proxy in front of Istio: NGINX.
Render the Istio envoy filter patch template with the variables you have specified:
root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/xff.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/xff.yamlEdit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable theingress-host
andingress-tls
patches by uncommenting the corresponding snippet:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yamlRender the patch for Ingress rules:
root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-host.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-host.yamlRender the patch for TLS termination:
root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-tls.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-tls.yamlEdit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable the certificate-related snippets. Choose one of the following options, based on who manages your SSL certificates.Enable the corresponding resource and patch:
resources: ... - ../../base/certificate.yaml patches: ... - path: patches/certificate.yamlEnable the secret generator for the TLS secret:
secretGenerator: - name: knative-serving-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"Configure your certificate. Choose one of the following options, based on who manages your SSL certificates.
Edit
rok/expose-serving/overlays/deploy/patches/certificate.yaml
, set bothcommonName
anddnsNames
to your subdomain and specify the ClusterIssuer name inissuerRef
:spec: commonName: serving.example.com dnsNames: - serving.example.com issuerRef: name: arrikto-self-signing-issuerPut your SSL certificate under
rok/expose-serving/overlays/deploy/secrets/tls.crt
and your private key underrok/expose-serving/overlays/deploy/secrets/tls.key
.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-serving/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. Wait until the ADDRESS field shows the IP address of your load balancer:
root@rok-tools:~# kubectl get ingress -n knative-serving NAME CLASS HOSTS ADDRESS PORTS AGE knative-serving-ingress nginx-serving *.serving.example.com,serving.example.com 10.0.0.2 80, 443 1m
What’s Next¶
Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.