Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing AKS cluster.
- A working cert-manager deployment.
- A working NGINX Ingress Controller deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deployments
Compute the FQDN for your Azure Load Balancer:
root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster.eastus.cloudapp.azure.com
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and use theingress-nginx-tls
resource instead ofarrikto
:resources: #- ../arrikto - ../ingress-nginx-tls
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment thetrusted-front-proxies.yaml
resource:resources: #- ../arrikto - ../ingress-nginx-tls # Trusted front proxies in front of Istio IngressGateway. This is needed in # order to handle XFF-related headers correctly. If running Istio IngressGateway # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set # the `xff_trusted_hops` value to the number of trusted proxies in front of the # Gateway. - trusted-front-proxies.yaml
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment theingress-host.yaml
,ingress-tls.yaml
andcertificate.yaml
patches:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml - path: patches/certificate.yaml
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
and setvalue
to the FQDN for your Azure Load Balancer from step 2:- op: replace path: /spec/rules/0/host value: arrikto-cluster.eastus.cloudapp.azure.com
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml
and sethosts
to the FQDN for your Azure Load Balancer:spec: tls: - hosts: - arrikto-cluster.eastus.cloudapp.azure.com
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml
and set bothcommonName
anddnsNames
to the FQDN for your Azure Load Balancer:spec: commonName: arrikto-cluster.eastus.cloudapp.azure.com dnsNames: - arrikto-cluster.eastus.cloudapp.azure.com
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
and setxff_num_trusted_hops
to1
:# Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 1
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your Azure Load Balancer FQDN:
root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.eastus.cloudapp.azure.com 10.42.42.42 80 1m
Open your browser, and go to the Rok UI at https://arrikto-cluster.eastus.cloudapp.azure.com/rok/.
Summary¶
You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.
What's Next¶
Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.