Bring Your Own Ingress
The Akuity Platform requires the use of several features provided by the Traefik ingress controller. As such, it is installed and managed as part of the self-hosted platform. For most installations, you can use this Ingress alongside your current ingress or on its own. However, some use cases require you to use your own ingress controller for compliance or other reasons such as controlling TLS termination. This document describes how bring your own ingress controller to the Self Hosted Akuity Platform.
This document assumes familiarity with Kubernetes networking and Ingress resources.
Bringing your own ingress
To bring your own ingress controller, you'll need to disable TLS termination in the chart. Doing
this will setup the Traefik ingress controller to use an internal ClusterIP
address rather than a
public LoadBalancer
. It also means your ingress controller will need to handle TLS termination for
your connections. Once the Helm chart is installed, you need to create several Ingress resources
that route to the Traefik Service
inside the cluster. This service is found in the
traefik-external
namespace once the self-hosted platform is installed. There is 1 address and 4
wildcard addresses that need to be routed to the Traefik ingress controller. The fully qualified
address is for the Self Hosted Platform UI. This is also set as part of installing the chart and
will likely be something like akuity.mycompany.com
The wildcard addresses by default will be based off of the top level domain you set above. So, using
akuity.mycompany.com
as an example, the wildcard addresses will be:
*.cdsvcs.akuity.mycompany.com
*.cd.akuity.mycompany.com
*.kargo.akuity.mycompany.com
(if using the Kargo feature)*.kargosvcs.akuity.mycompany.com
(if using the Kargo feature)
If you are using other domain names or subdomains, you will need to adjust the wildcard addresses to
match those addresses instead. For example, if you wanted your ArgoCD instances available on the
<team_name>.argocd.mycompany.com
domain for each team, you would need to setup an ingress that
routes *.argocd.mycompany.com
to the traefik
service in the traefik-external
namespace.
What you end up with is something that should look like this:
Example using Nginx Ingress
As there are many ingress controllers and configurations, it is impossible to provide a complete
example for all use cases. However, the following example shows how to use the Nginx ingress
controller with the Self Hosted Akuity Platform and should be adaptable to your ingress controller
of choice. This example uses the same "akuity.mycompany.com" domain as above. It also assumes you
have the Nginx ingress controller installed and running with an ingress class name of nginx
.
For ease of use, the following example creates the Ingresses in the traefik-external
namespace.
You can create them in any namespace, but you'll need to configure your ingress controller and/or
network policies to allow cross-namespace routing
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: akuity-external-main
namespace: traefik-external
spec:
ingressClassName: nginx
rules:
- host: "akuity.mycompany.com"
http:
paths:
- backend:
service:
name: traefik
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: akuity-external-cdsvcs
namespace: traefik-external
annotations:
# Recommended but not required annotations as the agent tunnel has a long-running connection
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
ingressClassName: nginx
rules:
- host: "*.cdsvcs.akuity.mycompany.com"
http:
paths:
- backend:
service:
name: traefik
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: akuity-external-cd
namespace: traefik-external
spec:
ingressClassName: nginx
rules:
- host: "*.cd.akuity.mycompany.com"
http:
paths:
- backend:
service:
name: traefik
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: akuity-external-kargo
namespace: traefik-external
spec:
ingressClassName: nginx
rules:
- host: "*.kargo.akuity.mycompany.com"
http:
paths:
- backend:
service:
name: traefik
port:
number: 80
path: /
pathType: Prefix
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: akuity-external-kargosvcs
namespace: traefik-external
spec:
ingressClassName: nginx
rules:
- host: "*.kargosvcs.akuity.mycompany.com"
http:
paths:
- backend:
service:
name: traefik
port:
number: 80
path: /
pathType: Prefix
Caveats
When you disable TLS termination and bring your own ingress, by default all ArgoCD clusters will be created with the Redis tunneling feature enabled. This is due to the difficulty (and sometimes impossibility) of passing through a TLS connection in a double ingress scenario or with some load balancers that handle TLS termination. In practice, you will not see any difference from a normal Redis connection that routes through your ingress as it will instead route through the tunnel connection established by the Akuity agent.
You can disable redis tunneling on Clusters you create, but be aware that this is not recommended practice and must be self-supported rather than supported by Akuity.