Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

What You'll Need

• A configured management environment.
• Your clone of the Arrikto GitOps repository.
• An existing EKS cluster.
• A working NGINX Ingress Controller deployment.
• A working cert-manager deployment.

Procedure

1. Go to your GitOps repository, inside your rok-tools management environment:

   root@rok-tools:/# cd ~/ops/deployments
   

2. Obtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps:

   root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \
   >     -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}'
   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
   

3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and set the base overlay. Choose one of the following options based on who manages your SSL certificates.

   Managed by you

   cert-manager (self-signed)

   resources:
   - ../ingress-nginx
   

   resources:
   - ../ingress-nginx-tls
   

4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

   resources:
   ...
   - trusted-front-proxies.yaml
   

5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

   # Number of trusted proxies in front of the Gateway.
   xff_num_trusted_hops: 1
   

6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting

   the corresponding snippet, including the toplevel patches directive. The final result will look like this:

   patches:
   - path: patches/ingress-host.yaml
     target:
       kind: Ingress
       name: istio-ingress
   - path: patches/ingress-tls.yaml
   

   Note

   There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

   1. Delete the extra patches line so that only one remains.

   2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      patches:
      - path: patches/ingress-host.yaml
        target:
          kind: Ingress
          name: istio-ingress
      - path: patches/ingress-tls.yaml
      # Generated by rok-image-patch
      - target:
          kind: ConfigMap
          name: istio-sidecar-injector
        path: patches/image-patch-istio-sidecar-injector.yaml
      

   3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l
      1
      

7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

   - op: replace
     path: /spec/rules/0/host
     value: a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
   

8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Load Balancer:

   spec:
     tls:
     - hosts:
       - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
   

9. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the corresponding snippets. Choose one of the following options based on who manages your SSL certificates.

   Managed by you

   cert-manager (self-signed)

   Enable the secret generator for the TLS secret:

   secretGenerator:
   - name: istio-ingress-tls-secret
     files:
     - secrets/tls.crt
     - secrets/tls.key
     type: "kubernetes.io/tls"
   

   Enable the certificate.yaml patch:

   patches:
   ...
   - path: patches/certificate.yaml
   

10. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    Managed by you

    cert-manager (self-signed)

    1. Put your SSL certificate under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt
    2. Put your private key under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key.

    Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml, and:

    1. obtain the part up to the first dot of the FQDN of your Load Balancer.
    2. set commonName to the first part of the FQDN for your Load Balancer.
    3. set dnsNames to contain both the first part and the whole FQDN of your Load Balancer.

    spec:
      commonName: a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      dnsNames:
      - a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN
      - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN
    

11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    

12. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer:

   root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress
   NAME            HOSTS                                                                    ADDRESS                                                                  PORTS     AGE
   istio-ingress   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com   80, 443   1m
   

2. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

   root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \
   >    -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
   ...
           Subject: CN = a4d794bfa6d7e440facc4398bf96edde-992601283
   ...
           X509v3 extensions:
   ...
               X509v3 Subject Alternative Name:
                   DNS:a4d794bfa6d7e440facc4398bf96edde-992601283, DNS:a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
   

3. Open your browser, and go to the Rok UI at

   https://<FQDN>/rok/
   

   Replace <FQDN> with your FQDN. For example:

   https://a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com/rok/
   

   Air Gapped

   Use dynamic port forwarding along with SOCKS5 protocol in your browser.

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What's Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.

• Integrations