Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Obtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps:

    root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \
    >     -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}'
    a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
    
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and set the base overlay based on whether you want to use an existing certificate, or create a new one using cert-manager:

    resources:
    - ../ingress-nginx
    
    resources:
    - ../ingress-nginx-tls
    
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources:
    ...
    - trusted-front-proxies.yaml
    
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 1
    
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the ingress-host.yaml and ingress-tls.yaml patches:

    patches:
    - path: patches/ingress-host.yaml
      target:
        kind: Ingress
        name: istio-ingress
    - path: patches/ingress-tls.yaml
    
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

    - op: replace
      path: /spec/rules/0/host
      value: a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Load Balancer:

    spec:
      tls:
      - hosts:
        - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the corresponding snippets based on the certificate your are going to use:

    Enable the secret generator for the TLS secret:

    secretGenerator:
    - name: istio-ingress-tls-secret
      files:
      - secrets/tls.crt
      - secrets/tls.key
      type: "kubernetes.io/tls"
    

    Enable the certificate.yaml patch:

    patches:
    ...
    - path: patches/certificate.yaml
    
  10. Configure your certificate based on the certificate you are going to use:

    1. Put your SSL certificate under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt
    2. Put your private key under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key.

    Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml, and:

    1. obtain the part up to the first dot of the FQDN of your Load Balancer.
    2. set commonName to the first part of the FQDN for your Load Balancer.
    3. set dnsNames to contain both the first part and the whole FQDN of your Load Balancer.
    spec:
      commonName: a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      dnsNames:
      - a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    
  12. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress
    NAME            HOSTS                                                                    ADDRESS                                                                  PORTS     AGE
    istio-ingress   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   80, 443   1m
    
  2. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \
    >    -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
    ...
            Subject: CN = a4d794bfa6d7e440facc4398bf96edde-992601283
    ...
            X509v3 extensions:
    ...
                X509v3 Subject Alternative Name:
                    DNS:a4d794bfa6d7e440facc4398bf96edde-992601283, DNS:a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
    
  3. Open your browser, and go to the Rok UI at

    https://<FQDN>/rok/
    

    Replace <FQDN> with your FQDN. For example:

    https://a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com/rok/
    

Summary

You have successfully configured Istio and exposed Rok to the outside world.

What’s Next

The next step is to deploy Kubeflow.