Expose Istio

In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller. TLS termination will happen at the ALB in front of NGINX.

Choose one of the following options to expose Istio:

Option 1: Expose Istio Automatically (preferred)

Expose Istio by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-alb-istio
../../../../_images/eks-alb-istio.png

Proceed to the Summary section.

Option 2: Expose Istio Manually

If you want to expose Istio manually, follow the instructions below.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
    root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
  3. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and use ingress-nginx instead of arrikto as the base overlay:

    resources: #- ../arrikto - ../ingress-nginx

    Note

    TLS termination takes place on the ALB with an ACM certificate, and thus you will create a plain HTTP ingress.

  4. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and uncomment the trusted-front-proxies.yaml resource:

    resources: #- ../arrikto - ../ingress-nginx # Trusted front proxies in front of Istio IngressGateway. This is needed in # order to handle XFF-related headers correctly. If running Istio IngressGateway # behind a trusted proxy (e.g., ALB, NGINX, etc.), include this YAML and set # the `xff_trusted_hops` value to the number of trusted proxies in front of the # Gateway. - trusted-front-proxies.yaml
  5. Set the number of trusted proxies in front of the Gateway:

    root@rok-tools:~/ops/deployments# export TRUSTED_FRONT_PROXIES=2

    Note

    ALB acts as a L7 edge proxy so you have two proxies in front of Istio: ALB and NGINX.

  6. Render the Istio envoy filter patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml.j2 \ > -o rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
  7. Edit rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml and enable only the ingress-host patch by uncommenting the corresponding snippet, including the toplevel patches directive. The final result will look like this:

    patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress #- path: patches/ingress-tls.yaml #- path: patches/certificate.yaml

    Note

    There may be cases where you have more that one patches directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the two patches: sections before you save the file, so you end up with only a single patches: section, a single list of patches. To do so:

    1. Delete the extra patches line so that only one remains.

    2. Cut and paste the rest of the lines under the remaining patches directive. The final result will look like this:

      patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress # Generated by rok-image-patch - target: kind: ConfigMap name: istio-sidecar-injector path: patches/image-patch-istio-sidecar-injector.yaml
    3. Ensure that you have only one toplevel patches directive:

      root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l 1
  8. Render the Istio ingress patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml.j2 \ > -o rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
  9. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Istio"
  10. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:/# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.eks-alb-acm)
    root@rok-tools:~/ops/deployments# export EKS_ALB_ACM_SUBDOMAIN
  3. Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match your SUBDOMAIN. Wait until the ADDRESS field shows the hostname of your Load Balancer:

    root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.apps.example.com e53a524a-ingressnginx-ingr-8872-592794601.us-east-1.elb.amazonaws.com 80 1m
  4. Obtain the FQDN of your Load Balancer:

    root@rok-tools:~/ops/deployments# echo ${EKS_ALB_ACM_SUBDOMAIN?} arrikto-cluster.apps.example.com
  5. Open your browser, and go to the Rok UI at

    https://<YOUR_SUBDOMAIN>/rok/

    Replace <YOUR_SUBDOMAIN> with your the value of EKS_ALB_ACM_SUBDOMAIN. For example:

    https://arrikto-cluster.apps.example.com/rok/

Summary

You have successfully configured Istio and exposed Rok to the outside world. With this, you have successfully completed the whole installation process.

What’s Next

The next step is to expose your KFServing Models to the outside world.