LoadBalancer
Truefoundry by default provisions a single external load-balancer for one Kubernetes cluster. This is provisioned automatically by the tfy-istio-ingress helm chart installed by Truefoundry which creates a Kubernetes service of type LoadBalancer
. You can find the configuration of this service in Deployments > Helm > tfy-istio-ingress (Make sure you are filtering for the desired cluster)
You can click on the three dots to understand the configuration.
If you want to modify any of your load-balancer settings, you will have to edit this configuration according to the guide mentioned below.
Modifying your load balancer configuration
The loadbalancer can be modified using annotations on the gateway object. Below is an example of possible modifications that you can do. To get a complete list of annoations - check here
AWS
As mentioned above, if you want the loadbalancer to be external, add the following annotation:
If you convert the load balancer from internal to external or vice-versa, the loadbalancer will be recreated and you will have to remap your DNS.
If you want it to be internal, the following annotation should be added:
If you want to restrict the access to the load balancer to a specific IP address, you can add the following annotation:
GCP
The default configuration creates an external load-balancer:
To make the loadbalancer internal, add the annotation as follows:
Azure
The default configuration creates an external load balancer with the below configuration
To make the load balancer internal
Generic
-
By default load balancer will be created without an external IP address in the case of generic cluster.
-
Run metalLB to assign an IP address to the load balancer.
-
Once the load balancer gets the IP address assign the certificates for it to terminate TLS traffic. For that you can use cert-manager or bring your own certificates.
- Cert-manager is present as an add-on in the cluster, so you can manage and edit the configurations for it vey seamlessly through the platform itself.
- cert-manager connects with your DNS providers and creates a secret in the k8s cluster.
- If you bring your own certificates, they need to be in the form of k8s secret. Check how you can create tls secret in k8s.
- Secret should be created in the
istio-system
namespace.
-
Passing those secrets in the
tfy-istio-ingress
intfyGateway.spec.servers[1].tls.credentialName
Deploy multiple load balancers
Each installation of tfy-istio-ingress
creates a load balancer. If you want to deploy multiple multiple load-balancers, for e.g. one internal and one external, you can clone the current tfy-istio-ingress
application in the same namespace istio-system
, change the tfyGateway.Name
to something else other then default tfy-wildcard
and update the tfyGateway.spec.Selector
with the new name of the application.
For e.g. if you clone the tfy-istio-ingress
a new application with the name tfy-istio-ingress-1
will be created , update the tfyGateway.Name
to a new name and the tfyGateway.spec.Selector
to
Once the ingress is installed, it will automatically create another loadbalancer whose IP you can get using kubectl get svc -n istio-system
.
Add authentication to all services behind a load balancer
We can configure Istio to apply authentication at a gateway level. This will work only if you are accessing the service using the DNS provided in Istio and not access the service directly from within the cluster. This process is a bit complicated, and you should only do this if you really want to enable authentication at an istio gateway level.
Istio will validate if the JWT is valid. If not valid, it will return an Unauthorized Error.
-
Create a RequestAuthentication resource to ensure that the JWT issuer and Audience are correct.
- Authentication will be only done if there is an Authorization header. This is pass-through if no Authorization header is present in the Request or it gets an empty string after removing the prefix.
-
Create an AuthorizationPolicy that will reject any requests with an empty JWT.
You can read the Istio docs: https://istio.io/latest/docs/reference/config/security/request_authentication/ for further customization or making it work with your own IdP.