Bring Your Own Ingress

The Akuity Platform requires the use of several features provided by the Traefik ingress controller. As such, it is installed and managed as part of the self-hosted platform. For most installations, you can use this Ingress alongside your current ingress or on its own. However, some use cases require you to use your own ingress controller for compliance or other reasons such as controlling TLS termination. This document describes how bring your own ingress controller to the Self Hosted Akuity Platform.

This document assumes familiarity with Kubernetes networking and Ingress resources.

Bringing your own ingress

To bring your own ingress controller, you'll need to disable TLS termination in the chart. Doing this will setup the Traefik ingress controller to use an internal ClusterIP address rather than a public LoadBalancer. It also means your ingress controller will need to handle TLS termination for your connections. Once the Helm chart is installed, you need to create several Ingress resources that route to the Traefik Service inside the cluster. This service is found in the traefik-external namespace once the self-hosted platform is installed. There is 1 address and 4 wildcard addresses that need to be routed to the Traefik ingress controller. The fully qualified address is for the Self Hosted Platform UI. This is also set as part of installing the chart and will likely be something like akuity.mycompany.com

The wildcard addresses by default will be based off of the top level domain you set above. So, using akuity.mycompany.com as an example, the wildcard addresses will be:

• *.cdsvcs.akuity.mycompany.com
• *.cd.akuity.mycompany.com
• *.kargo.akuity.mycompany.com (if using the Kargo feature)
• *.kargosvcs.akuity.mycompany.com (if using the Kargo feature)

info

If you are using other domain names or subdomains, you will need to adjust the wildcard addresses to match those addresses instead. For example, if you wanted your ArgoCD instances available on the <team_name>.argocd.mycompany.com domain for each team, you would need to setup an ingress that routes *.argocd.mycompany.com to the traefik service in the traefik-external namespace.

What you end up with is something that should look like this:

Example using Nginx Ingress

As there are many ingress controllers and configurations, it is impossible to provide a complete example for all use cases. However, the following example shows how to use the Nginx ingress controller with the Self Hosted Akuity Platform and should be adaptable to your ingress controller of choice. This example uses the same "akuity.mycompany.com" domain as above. It also assumes you have the Nginx ingress controller installed and running with an ingress class name of nginx.

info

For ease of use, the following example creates the Ingresses in the traefik-external namespace. You can create them in any namespace, but you'll need to configure your ingress controller and/or network policies to allow cross-namespace routing

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: akuity-external-main
  namespace: traefik-external
spec:
  ingressClassName: nginx
  rules:
    - host: "akuity.mycompany.com"
      http:
        paths:
          - backend:
              service:
                name: traefik
                port:
                  number: 80
            path: /
            pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: akuity-external-cdsvcs
  namespace: traefik-external
  annotations:
    # Recommended but not required annotations as the agent tunnel has a long-running connection
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
  ingressClassName: nginx
  rules:
    - host: "*.cdsvcs.akuity.mycompany.com"
      http:
        paths:
          - backend:
              service:
                name: traefik
                port:
                  number: 80
            path: /
            pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: akuity-external-cd
  namespace: traefik-external
spec:
  ingressClassName: nginx
  rules:
    - host: "*.cd.akuity.mycompany.com"
      http:
        paths:
          - backend:
              service:
                name: traefik
                port:
                  number: 80
            path: /
            pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: akuity-external-kargo
  namespace: traefik-external
spec:
  ingressClassName: nginx
  rules:
    - host: "*.kargo.akuity.mycompany.com"
      http:
        paths:
          - backend:
              service:
                name: traefik
                port:
                  number: 80
            path: /
            pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: akuity-external-kargosvcs
  namespace: traefik-external
spec:
  ingressClassName: nginx
  rules:
    - host: "*.kargosvcs.akuity.mycompany.com"
      http:
        paths:
          - backend:
              service:
                name: traefik
                port:
                  number: 80
            path: /
            pathType: Prefix

Caveats

When you disable TLS termination and bring your own ingress, by default all ArgoCD clusters will be created with the Redis tunneling feature enabled. This is due to the difficulty (and sometimes impossibility) of passing through a TLS connection in a double ingress scenario or with some load balancers that handle TLS termination. In practice, you will not see any difference from a normal Redis connection that routes through your ingress as it will instead route through the tunnel connection established by the Akuity agent.

You can disable redis tunneling on Clusters you create, but be aware that this is not recommended practice and must be self-supported rather than supported by Akuity.