Ingress routing to services via Istio’s ingress gateway is configured by VirtualService
custom resource definitions (CRD). When using external hostnames, there needs to be a VirtualService
CRD that matches the external hostname to the desired destination.
For example, the configuration below controls the ingress routing for prometheus.cmn.SYSTEM_DOMAIN_NAME
:
kubectl get vs -n sysmgmt-health cray-sysmgmt-health-prometheus
Example output:
NAME GATEWAYS HOSTS AGE
cray-sysmgmt-health-prometheus [services/services-gateway] [prometheus.cmn.SYSTEM_DOMAIN_NAME] 22h
kubectl get vs -n sysmgmt-health cray-sysmgmt-health-prometheus -o yaml
Example output:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
creationTimestamp: "2020-07-09T17:49:07Z"
generation: 1
labels:
app: cray-sysmgmt-health-prometheus
app.kubernetes.io/instance: cray-sysmgmt-health
app.kubernetes.io/managed-by: Tiller
app.kubernetes.io/name: cray-sysmgmt-health
app.kubernetes.io/version: 8.15.4
helm.sh/chart: cray-sysmgmt-health-0.3.1
name: cray-sysmgmt-health-prometheus
namespace: sysmgmt-health
resourceVersion: "41620"
selfLink: /apis/networking.istio.io/v1beta1/namespaces/sysmgmt-health/virtualservices/cray-sysmgmt-health-prometheus
uid: d239dfcc-a827-4a51-9b73-6eccfb937088
spec:
gateways:
- services/services-gateway
hosts:
- prometheus.cmn.SYSTEM_DOMAIN_NAME
http:
- match:
- authority:
exact: prometheus.cmn.SYSTEM_DOMAIN_NAME
route:
- destination:
host: cray-sysmgmt-health-kube-p-prometheus
port:
number: 9090
By matching the external hostname in the authority field, Istio’s ingress gateway is able to route incoming traffic from OAuth2 Proxy to the cray-sysmgmt-health-prometheus
service in the sysmgmt-health
namespace. Also, notice that the VirtualService
for prometheus.cmn.SYSTEM_DOMAIN_NAME
uses the existing services/services-gateway
Gateway CRD and does not create a new one.
Web apps intended to be accessed via the browser, such as Prometheus, Alertmanager, Grafana, Kiali, Kibana, Elasticsearch, should go through the OAuth2 Proxy reverse proxy. Browser sessions are automatically configured to use a JSON Web Token (JWT) for authorization to Istio’s ingress gateway, enabling a central enforcement point of Open Policy Agent (OPA) policies for system management traffic.
The OAuth2 Proxy will inject HTTP headers so that an upstream endpoint can identify the user and customize access as needed. To enable ingress via OAuth2 Proxy external hostnames, web apps need to be added to
the proxiedWebAppExternalHostnames
for the appropriate ingress (customerManagement
, customerAccess
, or customerHighSpeed
) in customizations.yaml
(i.e sma-grafana.cmn.{{ network.dns.external }}
).