Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Obtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps:

    root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \ > -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}' a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
  3. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the necessary resources, as you see them in the snippets below. Choose one of the following options based on who manages your SSL certificates.

    resources: - ../../base - ../../base/ingress.yaml
    resources: - ../../base - ../../base/ingress.yaml - ../../base/certificate.yaml
  4. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and uncomment the xff patch, including the toplevel patches directive.

    patches: # - path: patches/ingress-host.yaml # target: # kind: Ingress # name: istio-ingress # - path: patches/ingress-tls.yaml # - path: patches/certificate.yaml - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops
  5. Edit rok/expose-ekf/overlays/deploy/patches/xff.yaml and replace <TRUSTED_FRONT_PROXIES> with 1:

    - op: replace path: /spec/configPatches/0/patch/value/typed_config/xff_num_trusted_hops value: 1
  6. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting the corresponding snippet. The final result will look like this:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml # - path: patches/certificate.yaml - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops

    Note

    There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

    1. Delete the extra patches line so that only one remains.

    2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml # Generated by rok-image-patch - target: kind: ConfigMap name: istio-sidecar-injector path: patches/image-patch-istio-sidecar-injector.yaml
    3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/expose-ekf/overlays/deploy/kustomization.yaml | wc -l 1
  7. Edit rok/expose-ekf/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

    - op: replace path: /spec/rules/0/host value: a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
  8. Edit rok/expose-ekf/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Load Balancer:

    spec: tls: - hosts: - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
  9. Edit rok/expose-ekf/overlays/deploy/kustomization.yaml and enable the corresponding snippets. Choose one of the following options based on who manages your SSL certificates.

    Enable the secret generator for the TLS secret:

    secretGenerator: - name: istio-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"

    Enable the certificate patch:

    patches: ... - path: patches/certificate.yaml
  10. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    1. Put your SSL certificate under rok/expose-ekf/overlays/deploy/secrets/tls.crt
    2. Put your private key under rok/expose-ekf/overlays/deploy/secrets/tls.key.

    Edit rok/expose-ekf/overlays/deploy/patches/certificate.yaml, and:

    1. obtain the part up to the first dot of the FQDN of your Load Balancer.
    2. set commonName to the first part of the FQDN for your Load Balancer.
    3. set dnsNames to contain both the first part and the whole FQDN of your Load Balancer.
    spec: commonName: a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN dnsNames: - a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
  12. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-ekf/overlays/deploy

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress NAME CLASS HOSTS ADDRESS PORTS AGE istio-ingress nginx a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com 80, 443 1m
  2. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = a4d794bfa6d7e440facc4398bf96edde-992601283 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:a4d794bfa6d7e440facc4398bf96edde-992601283, DNS:a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
  3. Open your browser, and go to the Rok UI at

    https://<FQDN>/rok/

    Replace <FQDN> with your FQDN. For example:

    https://a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com/rok/

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What’s Next

The next step is to expose your ML models to the outside world.