Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Fast Forward

If you have already exposed Istio, expand this box to fast-forward.

  1. Proceed to the Verify section.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments

  2. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the ingress resource:

    resources: ... - ../../base/ingress.yaml

  3. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting the corresponding snippets, including the toplevel patches directive:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml ...

  4. Edit rok/expose-ekf/overlays/deploy/patches/ingress-host.yaml and set value to your FQDN:

    - op: replace path: /spec/rules/0/host value: ekf.example.com

  5. Edit rok/expose-ekf/overlays/deploy/patches/ingress-tls.yaml and set hosts to your FQDN:

    spec: tls: - hosts: - ekf.example.com

  6. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml enable the xff patch by uncommenting the corresponding snippet:

    patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops

  7. Edit rok/expose-ekf/overlays/deploy/patches/xff.yaml and replace <TRUSTED_FRONT_PROXIES> with 1:

    - op: replace path: /spec/configPatches/0/patch/value/typed_config/xff_num_trusted_hops value: 1

    Note

    With MetalLB we have only one L7 proxy in front of Istio: NGINX.

  8. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the certificate-related snippets. Choose one of the following options based on who manages your SSL certificates.

    cert-manager (self-signed)

    Managed by you

    Enable the certificate patch:

    patches: ... - path: patches/certificate.yaml

    Enable the secret generator for the TLS secret:

    secretGenerator: - name: istio-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"

  9. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    cert-manager (self-signed)

    Managed by you

    Edit rok/expose-ekf/overlays/deploy/patches/certificate.yaml, set both commonName and dnsNames to your subdomain and specify the ClusterIssuer name in issuerRef:

    spec: commonName: ekf.example.com dnsNames: - ekf.example.com issuerRef: name: arrikto-self-signing-issuer

    Put your SSL certificate under rok/expose-ekf/overlays/deploy/secrets/tls.crt and your private key under rok/expose-ekf/overlays/deploy/secrets/tls.key.

  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"

  11. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-ekf/overlays/deploy

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your FQDN. Wait until the ADDRESS field shows the IP address of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress NAME CLASS HOSTS ADDRESS PORTS AGE istio-ingress nginx ekf.example.com 10.0.0.1 80, 443 1m

  2. Verify that the SSL certificate is READY. Choose one of the following options based on who manages your SSL certificates.

    cert-manager (self-signed)

    Managed by you

    Check that field READY is True.

    root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system NAME READY SECRET AGE istio-ingress-tls-certificate True istio-ingress-tls-secret 1m

    Your Certificate will be stored directly in a Kubernetes secret. Proceed to the next step to verify its contents.

  3. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = ekf.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:ekf.example.com

  4. Open your browser, and go to the EKF dashboard at

    https://<FQDN>/

    Replace <FQDN> with your FQDN. For example:

    https://ekf.example.com/

Summary

You have successfully configured Istio and exposed EKF to the outside world.

What’s Next

The next step is to expose your ML models to the outside world.

PreviousNext