Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Specify the subdomain to use for serving:

    root@rok-tools:~/ops/deployments# export SERVING_SUBDOMAIN=<SUBDOMAIN>

    Replace <SUBDOMAIN> with your subdomain. For example:

    root@rok-tools:~/ops/deployments# export SERVING_SUBDOMAIN=arrikto-cluster-serving.serving.example.com
  3. Obtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps. Choose one of the following options based on which NGINX you are using:

    root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx-serving ingress-nginx \ > -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}' a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
    root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \ > -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}' a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com
  4. Specify the NGINX class to use. Choose one of the following options based on which NGINX you are using:

    The Serving NGINX is used by default. Continue with next step.

    Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the ingress-class patch:

    patches: ... - path: patches/ingress-class.yaml
  5. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the xff patch:

    patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hops
  6. Edit rok/expose-serving/overlays/deploy/patches/xff.yaml and set value for xff_num_trusted_hops to 1:

    value: 1

    Note

    ELB is a TCP proxy and as such we have one L7 proxy in front of Istio: NGINX.

  7. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the ingress-host and ingress-tls patches by uncommenting the corresponding snippet. The final result will look like this:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml
  8. Edit rok/expose-serving/overlays/deploy/patches/ingress-host.yaml and set value to your subdomain:

    - op: replace path: /spec/rules/0/host value: "*.arrikto-cluster-serving.serving.example.com" # <-- Update this line with your SERVING_SUBDOMAIN

    Note

    Use your wildcard subdomain.

  9. Edit rok/expose-serving/overlays/deploy/patches/ingress-tls.yaml and set hosts to your subdomain:

    spec: tls: - hosts: - "*.arrikto-cluster-serving.serving.example.com" # <-- Update this line with your SERVING_SUBDOMAIN

    Note

    Use your wildcard subdomain.

  10. Edit rok/expose-serving/overlays/deploy/kustomization.yaml and enable the corresponding snippets. Choose one of the following options based on who manages your SSL certificates.

    Enable the secret generator for the TLS secret:

    secretGenerator: - name: knative-serving-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"

    Enable the certificate resource and the corresponding patch:

    resources: ... - ../../base/certificate.yaml patches: ... - path: patches/certificate.yaml
  11. Configure your certificate. Choose one of the following options based on who manages your SSL certificates.

    1. Put your SSL certificate under rok/expose-serving/overlays/deploy/secrets/tls.crt
    2. Put your private key under rok/expose-serving/overlays/deploy/secrets/tls.key.

    Edit rok/expose-serving/overlays/deploy/patches/certificate.yaml, and:

    1. set commonName to your subdomain.
    2. set dnsNames to contain both your subdomain and your wildcard subdomain.
    spec: commonName: arrikto-cluster-serving.serving.example.com # <-- Update this line your SERVING_SUBDOMAIN dnsNames: - arrikto-cluster-serving.serving.example.com # <-- Update this line with your SERVING_SUBDOMAIN - "*.arrikto-cluster-serving.serving.example.com" # <-- Update this line with your wildcard SERVING_SUBDOMAIN
  12. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"
  13. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-serving/overlays/deploy
  14. Edit kubeflow/manifests/common/knative/knative-serving/overlays/deploy/patches/config-domain.yaml to configure Knative to use your domain for External URLs. Replace arrikto-cluster-serving.serving.example.com with your FQDN:

    data: arrikto-cluster-serving.serving.example.com: "" # <-- Update this line with your SERVING_SUBDOMAIN
  15. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Configure Knative domain"
  16. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > kubeflow/manifests/common/knative/knative-serving/overlays/deploy

Important

You have to create the wildcard DNS record manually, e.g., a CNAME pointing to the ELB name, or connect to your ELB directly using its FQDN and pass the correct Host header.

Verify

  1. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your wildcard subdomain:

    root@rok-tools:~/ops/deployments# kubectl get ingress -n knative-serving NAME HOSTS ADDRESS PORTS AGE knative-serving-ingress *.arrikto-cluster-serving.serving.example.com a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com 80, 443 1m
  2. Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:

    root@rok-tools:~/ops/deployments# kubectl get secrets -n knative-serving knative-serving-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = arrikto-cluster-serving.serving.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:arrikto-cluster-serving.serving.example.com, DNS:*.arrikto-cluster-serving.serving.example.com

Summary

You have successfully configured Istio and exposed KFServing Models to the outside world.

What’s Next

Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.