Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller. TLS termination will happen at the ALB in front of NGINX.
Fast Forward
If you have already exposed Istio, expand this box to fast-forward.
- Proceed to the Verify section.
Choose one of the following options to expose Istio:
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKS cluster.
- A working AWS Load Balancer Controller deployment.
- A working NGINX Ingress Controller deployment.
Option 1: Expose Istio Automatically (preferred)¶
Expose Istio by following the on-screen instructions on the rok-deploy
user interface.
If rok-deploy
is not already running, start it with:
root@rok-tools:~# rok-deploy --run-from eks-alb-istio
Proceed to the Summary section.
Option 2: Expose Istio Manually¶
If you want to expose Istio manually, follow the instructions below.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deployments
Restore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and useingress-nginx
instead ofarrikto
as the base overlay:resources: #- ../arrikto - ../ingress-nginx
Note
TLS termination takes place on the ALB with an ACM certificate, and thus you will create a plain HTTP ingress.
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment thetrusted-front-proxies.yaml
resource:resources: #- ../arrikto - ../ingress-nginx # Trusted front proxies in front of Istio IngressGateway. This is needed in # order to handle XFF-related headers correctly. If running Istio IngressGateway # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set # the `xff_trusted_hops` value to the number of trusted proxies in front of the # Gateway. - trusted-front-proxies.yaml
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
and setxff_num_trusted_hops
to2
:# Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 2
Note
ALB acts as a L7 edge proxy so you have two proxies in front of Istio: ALB and NGINX.
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and enable only theingress-host
patch by uncommenting the corresponding snippet, including the toplevelpatches
directive. The final result will look like this:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress #- path: patches/ingress-tls.yaml #- path: patches/certificate.yaml
Note
There may be cases where you have more that one
patches
directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the twopatches:
sections before you save the file, so you end up with only a singlepatches:
section, a single list of patches. To do so:Delete the extra
patches
line so that only one remains.Cut and paste the rest of the lines under the remaining
patches
directive. The final result will look like this:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress # Generated by rok-image-patch - target: kind: ConfigMap name: istio-sidecar-injector path: patches/image-patch-istio-sidecar-injector.yaml
Ensure that you have only one toplevel
patches
directive:root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l 1
Obtain the FQDN of your Load Balancer and copy it to your clipboard as you are going to use it in the next step:
root@rok-tools:~/ops/deployments# echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
and setvalue
to the FQDN of your Load Balancer:- op: replace path: /spec/rules/0/host value: arrikto-cluster.apps.example.com # <-- Update this line with your EKS_ALB_ACM_SUBDOMAIN
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio"
Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
Air Gapped
In case of a private only EKS cluster, external-dns will not be able to update Route 53 entries automatically. So you have to manually create an alias record, i.e., an A record pointing to the internal ALB created by the AWS Load Balancer Controller.
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deployments
Restore the required context from previous sections:
root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your SUBDOMAIN. Wait until the ADDRESS field shows the hostname of your Load Balancer:
root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.apps.example.com e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com 80 1m
Obtain the FQDN of your Load Balancer:
root@rok-tools:~/ops/deployments# echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
Open your browser, and go to the Rok UI at
https://<YOUR_SUBDOMAIN>/rok/
Replace
<YOUR_SUBDOMAIN>
with your the value ofEKS_ALB_ACM_SUBDOMAIN
. For example:https://arrikto-cluster.apps.example.com/rok/
Air Gapped
Use dynamic port forwarding along with SOCKS5 protocol in your browser.
What's Next¶
Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.