Creating ingress definitions for IBM App Connect instances in an IBM Cloud Kubernetes Service cluster
![Kubernetes-only content Kubernetes-only content](icn_kubernetes.png)
Before you begin
When you create an IBM Cloud Kubernetes Service cluster, IBM provides the following components that are required to use ingress: ingress domain, ingress class, Application Load Balancers (ALBs), and TLS certificate. You reference these components when you create ingress resources for your App Connect Dashboard, App Connect Designer, integration server, integration runtime, and switch server instances. For more information, see IBM-provided Ingress components in the IBM Cloud Kubernetes Service documentation.
If you deploy a switch server, some prerequisite configuration is required before you create its ingress resource. You use a switch server to configure connectivity for hybrid integrations in IBM App Connect, which interact with callable flows in IBM App Connect Enterprise or IBM Integration Bus. You also use a switch server to configure connectivity for flows or integrations that interact with applications in a private network. As a prerequisite for ingress, you therefore need to modify the default settings for ALBs that run the Kubernetes ingress image, and which listen for and forward incoming requests to the appropriate pod. To modify the default settings, customize the ALB deployment to enable SSL pass-through by creating a ConfigMap object:
- Get the ID of the ALB, where <cluster_name_or_ID> is the name or
identifier of your cluster.
ibmcloud ks ingress alb ls --cluster <cluster_name_or_ID>
Tip: You can copy the cluster ID from the Overview page in your cluster.In the output of the ibmcloud command, make a note of the ID that starts with
public
. - From your local computer, create a YAML file (for example,
appconn-ingress-configmap.yaml) for a ConfigMap object named
ibm-ingress-deploy-config
, where <alb_id> is the ALB ID from the previous step.apiVersion: v1 kind: ConfigMap metadata: name: ibm-ingress-deploy-config namespace: kube-system data: <alb_id>: '{"enableSslPassthrough":"true"}'
- Create the ConfigMap
object.
kubectl apply -f appconn-ingress-configmap.yaml
- Update your ALBs to pick up the
changes.
ibmcloud ks ingress alb update -c <cluster_name_or_ID>
- To confirm the update, inspect the ALB (ingress) pod logs in the
kube-system
namespace.- Run the following command to get the IDs of the ALB pods that are running in your cluster.
(These ingress pods are named in the format
public-<cluster_id>-alb1-*
.)kubectl get pods -n kube-system | grep alb
- Get the logs for the ALB
pod.
kubectl logs <alb_pod_ID> -n kube-system
In the pod logs, look for this message: "Starting TLS proxy for SSL Passthrough".
- Run the following command to get the IDs of the ALB pods that are running in your cluster.
(These ingress pods are named in the format
For more information about ALBs and ingress, see Application Load Balancers (ALBs) and Customizing the ALB deployment in the IBM Cloud Kubernetes Service documentation. For more information about switch servers, see App Connect Switch Server reference.
About this task
For each App Connect Dashboard, App Connect Designer, integration server, integration runtime, or switch server instance, you must create an ingress resource with rules that define an externally-reachable URL for accessing the running service in the cluster.
IBM provides ingress classes that implement the NGINX ingress controller, so you do not need to manually install an ingress controller in your IBM Cloud Kubernetes Service cluster. When you define an ingress resource for an instance, you simply need to specify the ingress class that determines which type of ingress controller is used.
For these instructions, an IBM Cloud Kubernetes Service cluster was provisioned on a
Classic infrastructure, and the IBM-provided ingress subdomain,
public-iks-k8s-nginx
ingress class, and default TLS certificate are used. For more
information, see Supported infrastructure providers, Ingress domain, Ingress class, and Setting up Ingress in the IBM Cloud Kubernetes Service
documentation.
Work with a cluster administrator if necessary to create and apply the ingress resources.
- Creating an ingress route for an App Connect Dashboard UI
- Creating an ingress route for an App Connect Dashboard API
- Creating an ingress route for a switch server
- Creating an ingress route for an App Connect Designer instance
- Creating an ingress route for the internal integration server that is deployed for App Connect Designer
- Creating an ingress route for an integration server in the App Connect Dashboard
- Creating an ingress route for an integration runtime in the App Connect Dashboard
Creating an ingress route for an App Connect Dashboard UI
Create an ingress resource that will be used to route external traffic to an App Connect Dashboard UI in your cluster.
Procedure
To create an ingress route for a running Dashboard UI, complete the following steps:
Creating an ingress route for an App Connect Dashboard API
Create an ingress resource that will be used to route external traffic to an API that is enabled for an App Connect Dashboard instance in your cluster. This API provides REST API facilities for administering resources that the App Connect Dashboard manages.
For more information about the API, see API for IBM App Connect in containers.
Procedure
To create an ingress route for an enabled Dashboard API, complete the following steps:
Creating an ingress route for a switch server
To expose a switch server to external traffic, you must create an ingress route immediately after you create the switch server because during its initialization, the switch server will need to provide a TLS host name (defined in an ingress resource) in order to request a certificate for this host. To prevent certificate-related errors from the ingress controller, the host name in the generated certificate and the TLS host name that is defined in your ingress resource must match.
Procedure
To create an ingress route for a newly deployed switch server, complete the following steps:
Creating an ingress route for an App Connect Designer instance
Create an ingress resource that will be used to route external traffic to an App Connect Designer instance in your cluster.
About this task
When a Designer instance is deployed, an integration server is automatically deployed to provide support for the built-in test facility for flows. After you create an ingress route for a Designer instance, you will also be required to create an ingress route for this integration server, as described in Creating an ingress route for the internal integration server that is deployed for App Connect Designer.
Procedure
To create an ingress route for a running Designer instance, complete the following steps:
What to do next
Create an ingress route that will be used by the built-in test facility for API flows in your App Connect Designer instance. For more information, see Creating an ingress route for the internal integration server that is deployed for App Connect Designer.
Creating an ingress route for the internal integration server that is deployed for App Connect Designer
You can verify the behavior of any running API flow in your App Connect Designer instance by using the built-in test facility to call the
endpoints for each of the implemented API operations. An internal integration server (named
<designerAuthoringCRName>-designer
) is deployed by default
with the App Connect Designer instance to facilitate this testing.
You must create an ingress resource that will be used to route external traffic to
this integration server in the cluster, and then configure the correct endpoints for calling the API
operations. (For information about creating API flows, see Creating and managing flows in App Connect Designer.)
Procedure
To create an ingress route for the internal integration server that is deployed for a Designer instance, complete the following steps:
Creating an ingress route for an integration server in the App Connect Dashboard
When you deploy one or more BAR files to an integration server, you can indicate whether an HTTP or HTTPS route should be used to externally expose the service that identifies the set of pods where the integration runs. You must manually create this external route for the selected HTTP or HTTPS protocol. These instructions describe how to create an ingress resource for an integration server and configure the endpoints in your cluster.
- Set spec.forceFlowHTTPS.enabled to
true
to force all HTTP Input nodes and SOAP Input nodes in all deployed flows in the integration server to use TLS. - Set spec.forceFlowHTTPS.secretName to the name of a secret that stores a user-supplied public certificate/private key pair to use for enforcing TLS.
- Set spec.service.endpointType to
https
.
Procedure
To create an ingress route for a running integration server, complete either of the following steps:
Creating an ingress route for an integration runtime in the App Connect Dashboard
When you deploy one or more BAR files to an integration runtime, you can indicate whether an HTTP or HTTPS route should be used to externally expose the service that identifies the set of pods where the integration runs. You must manually create this external route for the selected HTTP or HTTPS protocol. These instructions describe how to create an ingress resource for an integration runtime and configure the endpoints in your cluster.
- Set spec.forceFlowsHTTPS.enabled to
true
to force all HTTP Input nodes and SOAP Input nodes in all deployed flows in the integration runtime to use TLS. - Set spec.forceFlowsHTTPS.secretName to the name of a secret that stores a user-supplied public certificate/private key pair to use for enforcing TLS.
- Set spec.restApiHTTPS.enabled to
https
.
Procedure
To create an ingress route for a running integration runtime, complete either of the following steps: