Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Compute the FQDN for your Azure Load Balancer:

    root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com
    arrikto-cluster.eastus.cloudapp.azure.com
    
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and use the ingress-nginx-tls resource instead of arrikto:

    resources:
    #- ../arrikto
    - ../ingress-nginx-tls
    
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources:
    #- ../arrikto
    - ../ingress-nginx-tls
    # Trusted front proxies in front of Istio IngressGateway. This is needed in
    # order to handle XFF-related headers correctly. If running Istio IngressGateway
    # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set
    # the `xff_trusted_hops` value to the number of trusted proxies in front of the
    # Gateway.
    - trusted-front-proxies.yaml
    
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the ingress-host.yaml, ingress-tls.yaml and certificate.yaml patches:

    patches:
    - path: patches/ingress-host.yaml
      target:
        kind: Ingress
        name: istio-ingress
    - path: patches/ingress-tls.yaml
    - path: patches/certificate.yaml
    
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN for your Azure Load Balancer from step 2:

    - op: replace
      path: /spec/rules/0/host
      value: arrikto-cluster.eastus.cloudapp.azure.com
    
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Azure Load Balancer:

    spec:
      tls:
      - hosts:
        - arrikto-cluster.eastus.cloudapp.azure.com
    
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml and set both commonName and dnsNames to the FQDN for your Azure Load Balancer:

    spec:
      commonName: arrikto-cluster.eastus.cloudapp.azure.com
      dnsNames:
      - arrikto-cluster.eastus.cloudapp.azure.com
    
  9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 1
    
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    
  11. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your Azure Load Balancer FQDN:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress
    NAME            HOSTS                                      ADDRESS      PORTS  AGE
    istio-ingress   arrikto-cluster.eastus.cloudapp.azure.com  10.42.42.42  80     1m
    
  2. Open your browser, and go to the Rok UI at https://arrikto-cluster.eastus.cloudapp.azure.com/rok/.

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What's Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.