Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing AKS cluster.
- A working cert-manager deployment.
- A working NGINX Ingress Controller deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsCompute the FQDN for your Azure Load Balancer:
root@rok-tools:~/ops/deployments# echo ${AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com arrikto-cluster.eastus.cloudapp.azure.comEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and use theingress-nginx-tls
resource instead ofarrikto
:resources: #- ../arrikto - ../ingress-nginx-tlsEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment thetrusted-front-proxies.yaml
resource:resources: #- ../arrikto - ../ingress-nginx-tls # Trusted front proxies in front of Istio IngressGateway. This is needed in # order to handle XFF-related headers correctly. If running Istio IngressGateway # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set # the `xff_trusted_hops` value to the number of trusted proxies in front of the # Gateway. - trusted-front-proxies.yamlEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment theingress-host.yaml
,ingress-tls.yaml
andcertificate.yaml
patches:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml - path: patches/certificate.yamlEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
and setvalue
to the FQDN for your Azure Load Balancer from step 2:- op: replace path: /spec/rules/0/host value: arrikto-cluster.eastus.cloudapp.azure.comEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml
and sethosts
to the FQDN for your Azure Load Balancer:spec: tls: - hosts: - arrikto-cluster.eastus.cloudapp.azure.comEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml
and set bothcommonName
anddnsNames
to the FQDN for your Azure Load Balancer:spec: commonName: arrikto-cluster.eastus.cloudapp.azure.com dnsNames: - arrikto-cluster.eastus.cloudapp.azure.comEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
and setxff_num_trusted_hops
to1
:# Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 1Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your Azure Load Balancer FQDN:
root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.eastus.cloudapp.azure.com 10.42.42.42 80 1mOpen your browser, and go to the Rok UI at https://arrikto-cluster.eastus.cloudapp.azure.com/rok/.