Expose Istio¶
In this section you will expose Istio and the services running behind it using the NGINX Ingress Controller.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing EKS cluster.
- A working NGINX Ingress Controller deployment.
- A working cert-manager deployment.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:/# cd ~/ops/deploymentsObtain the FQDN of your Load Balancer. Copy the output to your clipboard, as you are going to use this value in later steps:
root@rok-tools:~/ops/deployments# kubectl get services -n ingress-nginx ingress-nginx \ > -o jsonpath='{.status.loadBalancer.ingress[].hostname}{"\n"}' a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.comEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and set the base overlay. Choose one of the following options based on who manages your SSL certificates.resources: - ../ingress-nginxresources: - ../ingress-nginx-tlsEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and uncomment thetrusted-front-proxies.yaml
resource:resources: ... - trusted-front-proxies.yamlEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/trusted-front-proxies.yaml
and setxff_num_trusted_hops
to1
:# Number of trusted proxies in front of the Gateway. xff_num_trusted_hops: 1Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and enable theingress-host
andingress-tls
patches by uncommentingthe corresponding snippet, including the toplevel
patches
directive. The final result will look like this:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yamlNote
There may be cases where you have more that one
patches
directives in your kustomization, including (but not limited to) the case where you have followed the Patch All Images for Your Deployment document. In cases like this, you need to merge the twopatches:
sections before you save the file, so you end up with only a singlepatches:
section, a single list of patches. To do so:Delete the extra
patches
line so that only one remains.Cut and paste the rest of the lines under the remaining
patches
directive. The final result will look like this:patches: - path: patches/ingress-host.yaml target: kind: Ingress name: istio-ingress - path: patches/ingress-tls.yaml # Generated by rok-image-patch - target: kind: ConfigMap name: istio-sidecar-injector path: patches/image-patch-istio-sidecar-injector.yamlEnsure that you have only one toplevel
patches
directive:root@rok-tools:~/ops/deployments# grep ^patches: rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml | wc -l 1
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-host.yaml
and setvalue
to the FQDN of your Load Balancer:- op: replace path: /spec/rules/0/host value: a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDNEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/ingress-tls.yaml
and sethosts
to the FQDN for your Load Balancer:spec: tls: - hosts: - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDNEdit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/kustomization.yaml
and enable the corresponding snippets. Choose one of the following options based on who manages your SSL certificates.Enable the secret generator for the TLS secret:
secretGenerator: - name: istio-ingress-tls-secret files: - secrets/tls.crt - secrets/tls.key type: "kubernetes.io/tls"Enable the
certificate.yaml
patch:patches: ... - path: patches/certificate.yamlConfigure your certificate. Choose one of the following options based on who manages your SSL certificates.
- Put your SSL certificate under
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.crt
- Put your private key under
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/secrets/tls.key
.
Edit
rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy/patches/certificate.yaml
, and:- obtain the part up to the first dot of the FQDN of your Load Balancer.
- set
commonName
to the first part of the FQDN for your Load Balancer. - set
dnsNames
to contain both the first part and the whole FQDN of your Load Balancer.
spec: commonName: a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN dnsNames: - a4d794bfa6d7e440facc4398bf96edde-992601283 # <-- Update this line with the first part of your FQDN - a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com # <-- Update this line with your FQDN- Put your SSL certificate under
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Istio via an NGINX Ingress"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-external-services/istio/istio-1-9/istio-install/overlays/deploy
Verify¶
Verify that you have successfully created the Ingress object for Istio. The HOSTS field should match the FQDN of your Load Balancer:
root@rok-tools:~/ops/deployments# kubectl get ingress -n istio-system istio-ingress NAME HOSTS ADDRESS PORTS AGE istio-ingress a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com 80, 443 1mInspect the TLS secret and verify that the SSL certificate has the expected CN and SAN:
root@rok-tools:~/ops/deployments# kubectl get secrets -n istio-system istio-ingress-tls-secret \ > -o jsonpath="{.data.tls\.crt}" | base64 -d | openssl x509 -text ... Subject: CN = a4d794bfa6d7e440facc4398bf96edde-992601283 ... X509v3 extensions: ... X509v3 Subject Alternative Name: DNS:a4d794bfa6d7e440facc4398bf96edde-992601283, DNS:a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.comOpen your browser, and go to the Rok UI at
https://<FQDN>/rok/Replace
<FQDN>
with your FQDN. For example:https://a4d794bfa6d7e440facc4398bf96edde-992601283.us-east-1.elb.amazonaws.com/rok/Air Gapped
Use dynamic port forwarding along with SOCKS5 protocol in your browser.