Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Fast Forward
If you have already exposed Istio, expand this box to fast-forward.
- Proceed to the Verify section.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster on your premises.
- A working MetalLB Loab Balancer controller.
- A working NGINX Ingress Controller deployment.
- An existing FQDN for your MetalLB Load Balancer.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsEdit
rok/expose-ekf/overlays/deploy/kustomization.yaml
and enable theingress
resource:resources: ... - ../../base/ingress.yamlEdit
rok/expose-ekf/overlays/deploy/kustomization.yaml
and enable theingress-host
andingress-tls
patches by uncommenting the corresponding snippets, including the toplevelpatches
directive:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml ...Edit
rok/expose-ekf/overlays/deploy/patches/ingress-host.yaml
and setvalue
to your FQDN:- op: replace path: /spec/rules/0/host value: ekf.example.comEdit
rok/expose-ekf/overlays/deploy/patches/ingress-tls.yaml
and sethosts
to your FQDN:spec: tls: - hosts: - ekf.example.comEdit
rok/expose-ekf/overlays/deploy/kustomization.yaml
enable thexff
patch by uncommenting the corresponding snippet:patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hopsEdit
rok/expose-ekf/overlays/deploy/patches/xff.yaml
and replace<TRUSTED_FRONT_PROXIES>
with1
:- op: replace path: /spec/configPatches/0/patch/value/typed_config/xff_num_trusted_hops value: 1Note
With MetalLB we have only one L7 proxy in front of Istio: NGINX.
Edit
rok/expose-ekf/overlays/deploy/kustomization.yaml
and enable the certificate-related snippets. Choose one of the following options based on who manages your SSL certificates.Enable the
certificate
patch:patches: ... - path: patches/certificate.yamlEnable the secret generator for the TLS secret:
secretGenerator: - name: istio-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"Configure your certificate. Choose one of the following options based on who manages your SSL certificates.
Edit
rok/expose-ekf/overlays/deploy/patches/certificate.yaml
, set bothcommonName
anddnsNames
to your subdomain and specify the ClusterIssuer name inissuerRef
:spec: commonName: ekf.example.com dnsNames: - ekf.example.com issuerRef: name: arrikto-self-signing-issuerPut your SSL certificate under
rok/expose-ekf/overlays/deploy/secrets/tls.crt
and your private key underrok/expose-ekf/overlays/deploy/secrets/tls.key
.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-ekf/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your FQDN. Wait until the ADDRESS field shows the IP address of your Load Balancer:
root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress NAME CLASS HOSTS ADDRESS PORTS AGE istio-ingress nginx ekf.example.com 10.0.0.1 80, 443 1mVerify that the SSL certificate is READY. Choose one of the following options based on who manages your SSL certificates.
Check that field READY is True.
root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system NAME READY SECRET AGE istio-ingress-tls-certificate True istio-ingress-tls-secret 1mYour Certificate will be stored directly in a Kubernetes secret. Proceed to the next step to verify its contents.
Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:
root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = ekf.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:ekf.example.comOpen your browser, and go to the EKF dashboard at
https://<FQDN>/Replace
<FQDN>
with your FQDN. For example:https://ekf.example.com/