Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Obtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps:

    root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \
    >     -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}'
    a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
    
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and set the base overlay. Choose one of the following options based on who manages your SSL certificates.

    resources:
    - ../ingress-nginx
    
    resources:
    - ../ingress-nginx-tls
    
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources:
    ...
    - trusted-front-proxies.yaml
    
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 1
    
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting

    the corresponding snippet, including the toplevel patches directive. The final result will look like this:

    patches:
    - path: patches/ingress-host.yaml
      target:
        kind: Ingress
        name: istio-ingress
    - path: patches/ingress-tls.yaml
    

    Note

    There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

    1. Delete the extra patches line so that only one remains.

    2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      patches:
      - path: patches/ingress-host.yaml
        target:
          kind: Ingress
          name: istio-ingress
      - path: patches/ingress-tls.yaml
      # Generated by rok-image-patch
      - target:
          kind: ConfigMap
          name: istio-sidecar-injector
        path: patches/image-patch-istio-sidecar-injector.yaml
      
    3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l
      1
      
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

    - op: replace
      path: /spec/rules/0/host
      value: a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Load Balancer:

    spec:
      tls:
      - hosts:
        - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the corresponding snippets. Choose one of the following options based on who manages your SSL certificates.

    Enable the secret generator for the TLS secret:

    secretGenerator:
    - name: istio-ingress-tls-secret
      files:
      - secrets/tls.crt
      - secrets/tls.key
      type: "kubernetes.io/tls"
    

    Enable the certificate.yaml patch:

    patches:
    ...
    - path: patches/certificate.yaml
    
  10. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    1. Put your SSL certificate under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt
    2. Put your private key under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key.

    Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml, and:

    1. obtain the part up to the first dot of the FQDN of your Load Balancer.
    2. set commonName to the first part of the FQDN for your Load Balancer.
    3. set dnsNames to contain both the first part and the whole FQDN of your Load Balancer.
    spec:
      commonName: a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      dnsNames:
      - a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    
  12. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress
    NAME            HOSTS                                                                    ADDRESS                                                                  PORTS     AGE
    istio-ingress   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   80, 443   1m
    
  2. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \
    >    -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
    ...
            Subject: CN = a4d794bfa6d7e440facc4398bf96edde-992601283
    ...
            X509v3 extensions:
    ...
                X509v3 Subject Alternative Name:
                    DNS:a4d794bfa6d7e440facc4398bf96edde-992601283, DNS:a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
    
  3. Open your browser, and go to the Rok UI at

    https://<FQDN>/rok/
    

    Replace <FQDN> with your FQDN. For example:

    https://a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com/rok/
    

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What’s Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.