Configure Ingress For DX Deployment
With HAProxy replacing Ambassador in DX deployments, it is easier to use a custom Ingress in front of DX to handle advance requirements to routing, proxying and other similar use cases. This document explains how to leverage external Ingress alongside with HAProxy as the internal reverse proxy and load balancer.
Note
- HCL DX intentionally does not ship any Ingress to reduce DX's deployment footprint in any Kubernetes cluster.
- This document shows an example configuration for some Ingress controllers and briefly describes minimally necessary steps to implement it inside a Kubernetes environment. This configuration is neither a proposal nor does HCL provide official support for it.
- Implementing an Ingress for use with a HCL DX deployment in Kubernetes is an optional effort based on the Kubernetes cluster’s requirements and customer’s discretion.
Ingress Implementation
The following guide is a basic example on implementing a generic Ingress on your Kubernetes cluster for use with HCL DX. The actual implementation might vary depending on the Cluster's setup and configuration.
- In the DX Helm values by default HAProxy
serviceType
is set toloadBalancer
. To use the external Ingress this must be set to the serviceType applicable for the appropriate use case, for this exampleClusterIP
is used, with that HAProxy service will not have any External IP.
networking:
haproxy:
serviceType: ClusterIP
- Install an Ingress controller of your choice, this will serve as the entry point to the cluster. The Ingress controller applies the rules that are set in the Ingress resources. By design the Ingress controller is a cluster-wide resource and can be deployed in any namespace and does not have to be in the same namespace as DX. The controller can be used to route multiple applications in multiple namespaces. NGINX Ingress Controller is used here as an example. To install a NGINX Ingress on your cluster, please issue the following command:
$ helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace <namespace>
- Check if the Ingress controller pod and service are deployed
$ kubectl get pod -n <namespace>
$ kubectl get service -n <namespace>
-
You can configure the connection between Ingress and HAProxy to use either
http
orhttps
for the internal traffic. For more information, see the topic Configure HAProxy networking. -
Define an Ingress resource that is used to configure the routing rules that point to the existing deployment of HAProxy as the internal service. Configure a host and all of the requests received by the host are handled by
<helm release name>-haproxy
. AsecretName
is passed in thetls
section to allow the Ingress controller to servehttps
traffic. The following configuration maps the root path (/
) to the HAProxy of DX. If there are other applications in the cluster handled by the same Ingress controller, their paths must be specified explicitly. All other requests are then handled by DX.
Example of an Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
spec:
ingressClassName: nginx
tls:
- secretName: dx-tls-cert
rules:
- host: your-kube-deployment.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <release-name>-haproxy
port:
name: haproxy
Advanced configuration
Important
The configuration in the Ingress Implementation section is the recommended configuration and should be used whenever possible.
Note that you must map in the Ingress any custom application deployed in the WebSphere Application Server or certain configurations. This includes the following:
- Some special functionalities of DX like the Web Application Bridge
- Deployments with the context root changed or removed
- The
friendlyUrlContextRoot
available for Digital Asset Management
If mapping the root path is not possible for a deployment, map the following paths depending on the configuration of DX:
/wps
(or the custom context root set for DX)/dx
/ibm
/hcl
Example of an Ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
spec:
ingressClassName: nginx
tls:
- secretName: dx-tls-cert
rules:
- host: your-kube-deployment.com
http:
paths:
- path: /wps
pathType: Prefix
backend:
service:
name: <release-name>-haproxy
port:
name: haproxy
- path: /dx
pathType: Prefix
backend:
service:
name: <release-name>-haproxy
port:
name: haproxy
- path: /ibm
pathType: Prefix
backend:
service:
name: <release-name>-haproxy
port:
name: haproxy
- path: /hcl
pathType: Prefix
backend:
service:
name: <release-name>-haproxy
port:
name: haproxy