Truefoundry uses Istio as the ingress controller. It, by default, provisions a single external load-balancer for one Kubernetes cluster. The load-balancer is provisioned automatically by the tfy-istio-ingress helm chart installed by TrueFoundry which creates a Kubernetes service of type LoadBalancer. This is fundamentally an ingress gateway which automatically brings up the load balancer in the respective cloud provider.
Istio is currently mandatory for the Truefoundry components to work. We will be adding support for other ingress controllers in the future.
You can find the configuration of the tfy-ingress-gateway in Deployments > Helm > tfy-istio-ingress (Make sure you are filtering for the desired cluster) tfy-istio-ingress helm chart You can click on the three dots to understand the configuration. tfy-istio-ingress configuration If you want to modify any of your load-balancer settings, you will have to edit this configuration and deploy the helm chart. The load-balancer settings are configured using the annotations on the gateway object. The annotations vary based on the cloud provider and you can find the corresponding cloud specific documentation below.
Changing some of the settings might cause the load balancer to be recreated and you will have to remap your DNS. This can bring down the services temporarily - so be careful with the changes you make or consult with the Truefoundry team.

Modifying your load balancer configuration

Below are the condiguration for the loadbalancers for the different cloud providers.
Below are the various load balancer types that are supported for AWS.

Deploy multiple load balancers

Each installation of tfy-istio-ingress creates a load balancer. If you want to deploy multiple multiple load-balancers, for e.g. one internal and one external, you can clone the current tfy-istio-ingress application in the same namespace istio-system, change the tfyGateway.Name to something else other then default tfy-wildcard and update the tfyGateway.spec.Selector with the new name of the application. For e.g. if you clone the tfy-istio-ingress a new application with the name tfy-istio-ingress-1 will be created , update the tfyGateway.Name to a new name and the tfyGateway.spec.Selector to
tfyGateway:
  spec:
    selector:
      app: "tfy-istio-ingress-1"
Once the ingress is installed, it will automatically create another loadbalancer whose IP you can get using
kubectl get svc -n istio-system

Add authentication to all services behind a load balancer

We can configure Istio to apply authentication at a gateway level. This will work only if you are accessing the service using the DNS provided in Istio and not access the service directly from within the cluster. This process is a bit complicated, and you should only do this if you really want to enable authentication at an istio gateway level.

Istio will validate if the JWT is valid. If not valid, it will return an Unauthorized Error.

  1. Create a RequestAuthentication resource to ensure that the JWT issuer and Audience are correct.
    1. Authentication will be only done if there is an Authorization header. This is pass-through if no Authorization header is present in the Request or it gets an empty string after removing the prefix.
    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: tfy-oauth2
      namespace: istio-system
    spec:
      selector:
        matchLabels:
          istio: tfy-istio-ingress
      jwtRules:
      - issuer: "truefoundry.com"
        fromHeaders:
        - name: Authorization
          prefix: "Bearer "
        audiences:
          - <tenant_name_in_truefoundry>
        jwksUri: https://login.truefoundry.com/.well-known/jwks.json
        forwardOriginalToken: true
    
  2. Create an AuthorizationPolicy that will reject any requests with an empty JWT.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: tfy-oauth2
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: tfy-istio-ingress
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
    to:
      - operation:
          ports:
            - "443" 
You can read the Istio docs: https://istio.io/latest/docs/reference/config/security/request_authentication/ for further customization or making it work with your own IdP.