Ingresses

Introduction

This guide covers manual setup of all aspects related to Ingresses on a Privacy Dynamics cluster. It is intended as a point of reference from which customers can adapt according to their organization's needs. Strictly following this guide as written will result in the same cluster configuration as is available from the Privacy Dynamics Installer. If no variance is needed, we recommend using our corresponding options in the Installer.

Install the NGINX Ingress Controller

An Ingress Controller must be installed on the Kubernetes Cluster in order for outside traffic to be admitted to the cluster and routed to the appropriate pods. We recommend the NGINX Ingress Controller, available at https://github.com/kubernetes/ingress-nginx.

1. Add the repository to Helm on your local machine

   helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
   helm repo update
   

3. Install the NGINX Ingress Controller Helm chart

   helm install --create-namespace \
   ingress-nginx ingress-nginx/ingress-nginx \
   --namespace ingress-nginx \
   --values ingress-nginx-values.yaml
   

Create Ingresses

The Privacy Dynamics application must have two Ingresses, one for the user interface (app) and one for the API. Additionally, Ingresses can be configured for the KOTS Admin Console and for observability components (Prometheus, Alertmanager, and Grafana).

If you've installed the ExternalDNS controller, the ingress creation will trigger the creation of corresponding a DNS A record within the pvcy.customer.com zone created earlier. If you prefer to create the records manually, point the A records to the external address for the load balancer. This will be the "External IP" value for the LoadBalancer-type Service created by your Ingress Controller (typically in the ingress-nginx namespace).

kubectl get svc -n ingress-nginx

If you've installed cert-manager, the ingress creation will also trigger the creation of corresponding CertificateRequests, Certificates, and Secrets (containing the CA-issued certificate). If you prefer to obtain the certificates manually, refer to Create TLS Certificates for detailed instructions.

Create API Ingress

If you've installed the ExternalDNS controller, the ingress creation step will create a DNS A record for api within the pvcy.customer.com zone added earlier. If you prefer to create the records manually, the external address for the load balancer is displayed in the final verification step.

curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/ingresses/api-ingress.yaml -o api-ingress.yaml

Modify pvcy.customer.com in api-ingress.yam to the customer subdomain.

kubectl apply -f api-ingress.yaml

Create Application Ingress

This will create an ingress for the Privacy Dynamics web UI. The service is called analyzer-app-service-ingress.

curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/ingresses/app-ingress.yaml -o app-ingress.yaml

Modify pvcy.customer.com in app-ingress.yaml to the customer subdomain.

kubectl apply -f app-ingress.yaml

Create KOTS Admin Console Ingress

This Ingress is optional. It allows access to the Privacy Dynamics Installer (i.e Replicated KOTS Admin Console) without port-forwarding.

curl https://raw.githubusercontent.com/pvcy/enterprise-install/main/ingresses/kots-ingress.yaml \
 -o kots-ingress.yaml

Modify pvcy.customer.com in kots-ingress.yaml to the customer subdomain.

kubectl apply -f kots-ingress.yaml

Observability Ingresses

Three more ingresses are available. These optional Ingresses are for the observability components of Prometheus, Alertmanager, and Grafana. You can download, update, and apply them in similar fashion to the Ingresses shown above. Be aware that these will expose important information about the functioning of your cluster (but never any data that is being anonymized). Only Grafana is password-protected by default.

• alertmanager-ingress.yaml
• grafana-ingress.yaml
• prometheus-ingress.yaml