Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Compute the FQDN for your Azure Load Balancer:

    root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com
    arrikto-cluster.eastus.cloudapp.azure.com
    
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and use the ingress-nginx-tls resource instead of base:

    resources:
    #- ../../base
    - ../ingress-nginx-tls
    
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources:
    #- ../../base
    - ../ingress-nginx-tls
    # Trusted front proxies in front of Istio IngressGateway. This is needed in
    # order to handle XFF-related headers correctly. If running Istio IngressGateway
    # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set
    # the `xff_trusted_hops` value to the number of trusted proxies in front of the
    # Gateway.
    - trusted-front-proxies.yaml
    
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the ingress-host.yaml, ingress-tls.yaml and certificate.yaml patches:

    patches:
    - path: patches/ingress-host.yaml
      target:
        kind: Ingress
        name: istio-ingress
    - path: patches/ingress-tls.yaml
    - path: patches/certificate.yaml
    
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN for your Azure Load Balancer from step 2:

    - op: replace
      path: /spec/rules/0/host
      value: arrikto-cluster.eastus.cloudapp.azure.com
    
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Azure Load Balancer:

    spec:
      tls:
      - hosts:
        - arrikto-cluster.eastus.cloudapp.azure.com
    
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml and set both commonName and dnsNames to the FQDN for your Azure Load Balancer:

    spec:
      commonName: arrikto-cluster.eastus.cloudapp.azure.com
      dnsNames:
      - arrikto-cluster.eastus.cloudapp.azure.com
    
  9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 1
    
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    
  11. Apply the kustomization:

    rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your Azure Load Balancer FQDN:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress
    NAME            HOSTS                                      ADDRESS      PORTS  AGE
    istio-ingress   arrikto-cluster.eastus.cloudapp.azure.com  10.42.42.42  80     1m
    
  2. Open your browser, and go to the Rok UI at https://arrikto-cluster.eastus.cloudapp.azure.com/rok/.

Summary

You have successfully configured Istio and exposed Rok to the outside world.

What’s Next

The next step is to deploy Kubeflow.