Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

What You'll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
    
  2. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and set the base overlay. Choose one of the following options based on who manages your SSL certificates.

    resources:
    - ../ingress-nginx-tls
    
    resources:
    - ../ingress-nginx-tls
    
    resources:
    - ../ingress-nginx
    
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources:
    ...
    - trusted-front-proxies.yaml
    
  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml and set xff_num_trusted_hops to 1:

    # Number of trusted proxies in front of the Gateway.
    xff_num_trusted_hops: 1
    
  5. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the ingress-host.yaml and ingress-tls.yaml patches:

    patches:
    - path: patches/ingress-host.yaml
      target:
        kind: Ingress
        name: istio-ingress
    - path: patches/ingress-tls.yaml
    #- path: patches/certificate.yaml
    
  6. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml and set value to the FQDN of your Load Balancer:

    - op: replace
      path: /spec/rules/0/host
      value: arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
    
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml and set hosts to the FQDN for your Load Balancer:

    spec:
      tls:
      - hosts:
        - arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
    
  8. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable the certificate related snippets. Choose one of the following options based on who manages your SSL certificates.

    Enable the certificate.yaml patch:

    patches:
    ...
    - path: patches/certificate.yaml
    

    Enable the certificate.yaml patch:

    patches:
    ...
    - path: patches/certificate.yaml
    

    Enable the secret generator for the TLS secret:

    secretGenerator:
    - name: istio-ingress-tls-secret
      files:
      - secrets/tls.crt
      - secrets/tls.key
      type: "kubernetes.io/tls"
    
  9. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml, set both commonName and dnsNames to the FQDN for your Load Balancer and specify the ClusterIssuer name in issuerRef:

    spec:
      commonName: arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
      dnsNames:
      - arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
      issuerRef:
        name: arrikto-self-signing-issuer
    

    Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml, set both commonName and dnsNames to the FQDN for your Load Balancer and specify the ClusterIssuer name in issuerRef:

    spec:
      commonName: arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
      dnsNames:
      - arrikto-cluster.apps.example.com  # <-- Update this line with your FQDN
      issuerRef:
        name: letsencrypt-prod
    

    Put your SSL certificate under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt and your private key under rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key.

  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
    
  11. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
    

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer. Wait until the ADDRESS field shows the IP address of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress
    NAME            HOSTS                             ADDRESS      PORTS    AGE
    istio-ingress   arrikto-cluster.apps.example.com  10.42.42.42  80, 443  1m
    
  2. Verify that the SSL certificate is READY. Choose one of the following options based on who manages your SSL certificates.

    Check that field READY is True.

    root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system
    NAME                            READY   SECRET                     AGE
    istio-ingress-tls-certificate   True    istio-ingress-tls-secret   1m
    

    Check that field READY is True.

    root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system
    NAME                            READY   SECRET                     AGE
    istio-ingress-tls-certificate   True    istio-ingress-tls-secret   1m
    

    Troubleshooting

    The certificate does not become READY.

    Ensure that Let's Encrypt can reach your GCLB at port 80. This is required for the HTTP-01 challenge. Update loadBalancerSourceRanges of your ingress-nginx Service to allow all CIDRs, at least temporarily.

    Your Certificate will be stored directly in a Kubernetes secret. Proceed to the next step to verify its contents.

  3. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \
    >    -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text
    ...
            Subject: CN = arrikto-cluster.apps.example.com
    ...
            X509v3 extensions:
    ...
                X509v3 Subject Alternative Name:
                    DNS:arrikto-cluster.apps.example.com
    
  4. Open your browser, and go to the Rok UI at

    https://<FQDN>/rok/
    

    Replace <FQDN> with your FQDN. For example:

    https://arrikto-cluster.apps.example.com/rok/
    

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What's Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.