Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller. TLS termination will happen at the ALB in front of NGINX.

Choose one of the following options to expose Istio:

Option 1: Expose Istio Automatically (preferred)

Expose Istio by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-alb-istio
../../../../_images/eks-alb-istio.png

Proceed to the Summary section.

Option 2: Expose Istio Manually

If you want to expose Istio manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
    root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
  3. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the ingress resource:

    resources: - ../../base - ../../base/ingress.yaml

    Note

    TLS termination takes place on the ALB with an ACM certificate, and thus you will create a plain HTTP ingress.

  4. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and uncomment the xff patch, including the toplevel patches directive:

    patches: #- path: patches/ingress-host.yaml # target: # kind: Ingress # name: istio-ingress #- path: patches/ingress-tls.yaml #- path: patches/certificate.yaml - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops
  5. Set the number of trusted proxies in front of the Gateway:

    root@rok-tools:~/ops/deployments# export TRUSTED_FRONT_PROXIES=2

    Note

    ALB acts as a L7 edge proxy so you have two proxies in front of Istio: ALB and NGINX.

  6. Render the Istio envoy filter patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/expose-ekf/overlays/deploy/patches/xff.yaml.j2 \ > -o rok/expose-ekf/overlays/deploy/patches/xff.yaml
  7. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the ingress-host patch by uncommenting the corresponding snippet. The final result will look like this:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress #- path: patches/ingress-tls.yaml #- path: patches/certificate.yaml - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops

    Note

    There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

    1. Delete the extra patches line so that only one remains.

    2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress # Generated by rok-image-patch - target: kind: ConfigMap name: istio-sidecar-injector path: patches/image-patch-istio-sidecar-injector.yaml
    3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/expose-ekf/overlays/deploy/kustomization.yaml | wc -l 1
  8. Render the Istio ingress patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/expose-ekf/overlays/deploy/patches/ingress-host.yaml.j2 \ > -o rok/expose-ekf/overlays/deploy/patches/ingress-host.yaml
  9. Save your state:

    root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-alb-istio.j2 \ > -o deploy/env.eks-alb-istio
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio"
  11. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-ekf/overlays/deploy
  12. Mark your progress:

    root@rok-tools:~/ops/deployments# export DATE=$(date -u "+%Y-%m-%dT%H.%M.%SZ")
    root@rok-tools:~/ops/deployments# git tag \ > -a deploy/${DATE?}/release-2.0/eks-alb-istio \ > -m "Expose Istio"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
    root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
  3. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your SUBDOMAIN. Wait until the ADDRESS field shows the hostname of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME CLASS HOSTS ADDRESS PORTS AGE istio-ingress nginx arrikto-cluster.apps.example.com e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com 80 1m
  4. Obtain the FQDN of your Load Balancer:

    root@rok-tools:~/ops/deployments# echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
  5. Open your browser, and go to the Rok UI at

    https://<YOUR_SUBDOMAIN>/rok/

    Replace <YOUR_SUBDOMAIN> with your the value of EKS_ALB_ACM_SUBDOMAIN. For example:

    https://arrikto-cluster.apps.example.com/rok/

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What’s Next

The next step is to expose your ML models to the outside world.