Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Fast Forward
If you have already exposed Istio for serving, expand this box to fast-forward.
- Proceed to the Verify section.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing AKS cluster.
- A working cert-manager deployment.
- A working NGINX Ingress Controller deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsCompute the subdomain to use for serving:
root@rok-tools:~/ops/deployments# export SERVING_SUBDOMAIN=${SERVING_AZURELB_DNS_NAME_LABEL?}.${AZURE_DEFAULTS_LOCATION?}.cloudapp.azure.com && echo ${SERVING_SUBDOMAIN?} arrikto-cluster-serving.eastus.cloudapp.azure.comSpecify the NGINX class to use. Choose one of the following options based on which NGINX you are using:
The Serving NGINX is used by default. Continue with next step.
Edit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable theingress-class
patch:patches: ... - path: patches/ingress-class.yamlEdit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable thexff
patch:patches: ... - path: patches/xff.yaml target: kind: EnvoyFilter name: xff-trust-hopsEdit
rok/expose-serving/overlays/deploy/patches/xff.yaml
and setvalue
forxff_num_trusted_hops
to1
:value: 1Note
Azure LB is a TCP proxy and as such we have one L7 proxy in from of Istio: NGINX.
Edit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable theingress-host
andingress-tls
patches by uncommenting the corresponding snippet. The final result will look like this:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yamlRender the patch for Ingress rules:
root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-host.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-host.yamlRender the patch for TLS termination:
root@rok-tools:~/ops/deployments# j2 \ > rok/expose-serving/overlays/deploy/patches/ingress-tls.yaml.j2 \ > -o rok/expose-serving/overlays/deploy/patches/ingress-tls.yamlEdit
rok/expose-serving/overlays/deploy/kustomization.yaml
and enable thecertificate
resource:resources: ... - ../../base/certificate.yamlEdit
rok/expose-serving/overlays/deploy/patches/certificate.yaml
and set bothcommonName
anddnsNames
to your subdomain:spec: commonName: arrikto-cluster-serving.eastus.cloudapp.azure.com # <-- Edit this value with your subdomain dnsNames: - arrikto-cluster-serving.eastus.cloudapp.azure.com # <-- Edit this value with your subdomainCommit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/expose-serving/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. Ensure that the HOSTS field includes both your subdomain and your wildcard subdomain:
root@rok-tools:~# kubectl get ingress -n knative-serving NAME HOSTS ADDRESS PORTS AGE knative-serving-ingress *.arrikto-cluster-serving.eastus.cloudapp.azure.com,arrikto-cluster-serving.eastus.cloudapp.azure.com 10.42.42.42 80 1m
What’s Next¶
Optionally, you can integrate Rok and Arrikto EKF with external platforms or projects.