Ingress Configuration

This guide demonstrates how to configure Ingress. Ingress can be configured in numerous ways. Configurations for the most popular controllers are outlined below.

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.

The Immuta web service listens on the following ports:

Port	Protocol	Description	Optional
443	TCP	HTTPS	False
80	TCP	HTTP (redirects to HTTPS)	True

Ingress hostname

This is the fully qualified domain name (FQDN) as defined by RFC 3986 used to access the Immuta UI. If a FQDN has yet to be determined set Secure's ingress hostname to immuta.local.

Ingress NGINX Controller

Edit the immuta-values.yaml file to include the following Helm values.

immuta-values.yaml

secure:
  ingress:
    hostname: <immuta-fqdn>
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the Ingress-Nginx Controller documentation for further assistance.

GKE Ingress Controller

Edit immuta-values.yaml to include the following Helm values.

immuta-values.yaml

secure:
  ingress:
    hostname: <immuta-fqdn>
    annotations:
      # Determines which type of load balancer is provisioned
      #   gce-internal
      #   gce
      kubernetes.io/ingress.class: gce
      # Listen on both 80 and 443
      kubernetes.io/ingress.allow-http: 'true'
      # Redirect traffic from 80 to 443
      cloud.google.com/frontend-config: immuta

Create a file named frontendconfig.yaml with the following content.

frontendconfig.yaml

apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: immuta
spec:
  redirectToHttps:
    enabled: true
    responseCodeName: RESPONSE_CODE

Apply the FrontendConfig CRD.
```
kubectl apply -f frontendconfig.yaml
```

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the Google Cloud documentation for further assistance.

AWS Load Balancer Controller

Edit immuta-values.yaml to include the following Helm values.

immuta-values.yaml

secure:
  ingress:
    hostname: <immuta-fqdn>
    ingressClassName: alb
    annotations:
      # Determines which type of load balancer is provisioned
      #   internal
      #   internet-facing
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      # Listen on both 80 and 443
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      # Redirect traffic from 80 to 443
      alb.ingress.kubernetes.io/ssl-redirect: '443'

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the AWS Load Balancer Controller documentation for further assistance.

AKS Application Gateway Ingress Controller

Edit immuta-values.yaml to include the following Helm values.

immuta-values.yaml

secure:
  ingress:
    hostname: <immuta-fqdn>
    ingressClassName: webapprouting.kubernetes.azure.com
    # https://azure.github.io/application-gateway-kubernetes-ingress/annotations/
    annotation:
      appgw.ingress.kubernetes.io/ssl-redirect: 'true'

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the Application Gateway Ingress Controller documentation for further assistance.

Traefik

Edit immuta-values.yaml to include the following Helm values.

immuta-values.yaml

secure:
  ingress:
    hostname: <immuta-fqdn>
    ingressClassName: traefik
    annotations:
      # Listen on ports 80 and 443
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
      # Redirect HTTP to HTTPS
      # When referencing middleware you must prefix the name with its namespace
      # <namespace>-<middleware-name>@kubernetescrd
      traefik.ingress.kubernetes.io/router.middlewares: immuta-https-redirectscheme@kubernetescrd

Create a file named middleware.yaml with the following content.

middleware.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-redirectscheme
spec:
  redirectScheme:
    scheme: https
    permanent: true

Apply the Middleware CRD.
```
kubectl apply -f middleware.yaml
```

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the Traefik documentation for further assistance.

OpenShift Ingress Operator

Edit immuta-values.yaml to include the following Helm values. Because the Ingress resource will be managed by the OpenShift route you create and not the Immuta Enterprise Helm chart, ingress is set to false below.
immuta-values.yaml
```
secure:
  ingress:
    enabled: false
```

Get the service name for Secure.

oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'

Create a file named route.yaml with the following content. Update all placeholder values with your own values.

route.yaml

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: immuta
spec:
  host: <immuta-fqdn>
  to:
    kind: Service
    name: immuta-secure
  port:
    targetPort: http
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect

Apply the Route CRD.
```
oc apply -f route.yaml
```

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml

Additional resources

Refer to the Red Hat OpenShift documentation for further assistance.