Ingress Configuration

This guide demonstrates how to configure Ingress. Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below.

The Immuta web service listens on the following ports:

Ingress NGINX Controller

1. Edit the immuta-values.yaml file to include the following Helm values.

   Copy

   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: nginx
       annotations:
         nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
         nginx.ingress.kubernetes.io/proxy-body-size: '64m'

2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the Ingress-Nginx Controller documentation for further assistance.

GKE Ingress Controller

1. Edit immuta-values.yaml to include the following Helm values.

   Copy

   secure:
     ingress:
       hostname: <immuta-fqdn>
       annotations:
         # Determines which type of load balancer is provisioned
         #   gce-internal
         #   gce
         kubernetes.io/ingress.class: gce
         # Listen on both 80 and 443
         kubernetes.io/ingress.allow-http: 'true'
         # Redirect traffic from 80 to 443
         cloud.google.com/frontend-config: immuta

2. Create a file named frontendconfig.yaml with the following content.

   Copy

   apiVersion: networking.gke.io/v1beta1
   kind: FrontendConfig
   metadata:
     name: immuta
   spec:
     redirectToHttps:
       enabled: true
       responseCodeName: RESPONSE_CODE

3. Apply the FrontendConfig CRD.

   Copy

   kubectl apply -f frontendconfig.yaml

4. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the Google Cloud documentation for further assistance.

AWS Load Balancer Controller

1. Edit immuta-values.yaml to include the following Helm values.

   Copy

   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: alb
       annotations:
         # Determines which type of load balancer is provisioned
         #   internal
         #   internet-facing
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/target-type: ip
         # Listen on both 80 and 443
         alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
         # Redirect traffic from 80 to 443
         alb.ingress.kubernetes.io/ssl-redirect: '443'

2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the AWS Load Balancer Controller documentation for further assistance.

AKS Application Gateway Ingress Controller

1. Edit immuta-values.yaml to include the following Helm values.

   Copy

   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: webapprouting.kubernetes.azure.com
       # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/
       annotations:
         appgw.ingress.kubernetes.io/ssl-redirect: 'true'

2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the Application Gateway Ingress Controller documentation for further assistance.

Traefik

1. Edit immuta-values.yaml to include the following Helm values.

   Copy

   secure:
     ingress:
       hostname: <immuta-fqdn>
       ingressClassName: traefik
       annotations:
         # Listen on ports 80 and 443
         traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
         # Redirect HTTP to HTTPS
         # When referencing middleware you must prefix the name with its namespace
         # <namespace>-<middleware-name>@kubernetescrd
         traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd

2. Create a file named middleware.yaml with the following content.

   Copy

   apiVersion: traefik.containo.us/v1alpha1
   kind: Middleware
   metadata:
     name: https-redirectscheme
   spec:
     redirectScheme:
       scheme: https
       permanent: true

3. Apply the Middleware CRD.

   Copy

   kubectl apply -f middleware.yaml

4. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the Traefik documentation for further assistance.

OpenShift Ingress Operator

1. Edit immuta-values.yaml to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, ingress is set to false below.

   Copy

   secure:
     ingress:
       enabled: false

2. Get the service name for Secure.

   Copy

   oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'

3. Create a file named route.yaml with the following content. Update all placeholder values with your own values.

   Copy

   apiVersion: route.openshift.io/v1
   kind: Route
   metadata:
     name: immuta
   spec:
     host: <immuta-fqdn>
     to:
       kind: Service
       name: immuta-secure
     port:
       targetPort: http
     tls:
       termination: edge
       insecureEdgeTerminationPolicy: Redirect

4. Apply the Route CRD.

   Copy

   oc apply -f route.yaml

5. Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

   Copy

   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.9

Refer to the Red Hat OpenShift documentation for further assistance.