Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing GKE cluster.
- A working NGINX Ingress Controller deployment.
- A working cert-manager deployment (if you want cert-manager to be managing your SSL certificates).
- A working ExternalDNS deployment (if you are using Cloud DNS).
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and set the base overlay. Choose one of the following options based on who manages your SSL certificates.resources: - ../ingress-nginx-tlsresources: - ../ingress-nginx-tlsresources: - ../ingress-nginxEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment thetrusted-front-proxies.yaml
resource:resources: ... - trusted-front-proxies.yamlEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
and setxff_num_trusted_hops
to1
:# Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 1Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and enable theingress-host.yaml
andingress-tls.yaml
patches:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml #- path: patches/certificate.yamlEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
and setvalue
to the FQDN of your Load Balancer:- op: replace path: /spec/rules/0/host value: arrikto-cluster.apps.example.com # <-- Update this line with your FQDNEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml
and sethosts
to the FQDN for your Load Balancer:spec: tls: - hosts: - arrikto-cluster.apps.example.com # <-- Update this line with your FQDNEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and enable the certificate related snippets. Choose one of the following options based on who manages your SSL certificates.Enable the
certificate.yaml
patch:patches: ... - path: patches/certificate.yamlEnable the
certificate.yaml
patch:patches: ... - path: patches/certificate.yamlEnable the secret generator for the TLS secret:
secretGenerator: - name: istio-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"Configure your certificate. Choose one of the following options based on who manages your SSL certificates.
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml
, set bothcommonName
anddnsNames
to the FQDN for your Load Balancer and specify the ClusterIssuer name inissuerRef
:spec: commonName: arrikto-cluster.apps.example.com # <-- Update this line with your FQDN dnsNames: - arrikto-cluster.apps.example.com # <-- Update this line with your FQDN issuerRef: name: arrikto-self-signing-issuerEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml
, set bothcommonName
anddnsNames
to the FQDN for your Load Balancer and specify the ClusterIssuer name inissuerRef
:spec: commonName: arrikto-cluster.apps.example.com # <-- Update this line with your FQDN dnsNames: - arrikto-cluster.apps.example.com # <-- Update this line with your FQDN issuerRef: name: letsencrypt-prodPut your SSL certificate under
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt
and your private key underrok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key
.Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer. Wait until the ADDRESS field shows the IP address of your Load Balancer:
root@rok-tools:~/ops/deployments# kubectl -n istio-system get ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress arrikto-cluster.apps.example.com 10.42.42.42 80, 443 1mVerify that the SSL certificate is READY. Choose one of the following options based on who manages your SSL certificates.
Check that field READY is True.
root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system NAME READY SECRET AGE istio-ingress-tls-certificate True istio-ingress-tls-secret 1mCheck that field READY is True.
root@rok-tools:~/ops/deployments# kubectl get certificate -n istio-system NAME READY SECRET AGE istio-ingress-tls-certificate True istio-ingress-tls-secret 1mTroubleshooting
The certificate does not become READY.
Ensure that Let’s Encrypt can reach your GCLB at port 80. This is required for the HTTP-01 challenge. Update
loadBalancerSourceRanges
of youringress-nginx
Service to allow all CIDRs, at least temporarily.Your Certificate will be stored directly in a Kubernetes secret. Proceed to the next step to verify its contents.
Inspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:
root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = arrikto-cluster.apps.example.com ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:arrikto-cluster.apps.example.comOpen your browser, and go to the Rok UI at
https://<FQDN>/rok/Replace
<FQDN>
with your FQDN. For example:https://arrikto-cluster.apps.example.com/rok/